GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-12 09:54:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000063 WDC_WD16 rev.11.0 149,05GB Running: 2i2o41ls.exe; Driver: C:\Users\LILAIL~1\AppData\Local\Temp\axtdrpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x8f5cfb0]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x8f0f990]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x96af8c0]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x954f7c0]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x962f750]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x95ef710]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x964f670]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x944f600]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x95cf5e0]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x94cf5a0]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x94ef550]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x960f530]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x96ef340]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x940f330]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x93ef230]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x956f160]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x946f120]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x942f0b0]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x94af080]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x948f020]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x966f010]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x96cf000]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x958ec90]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x968ec00]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x95ae390]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x950e310]} .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x952e290]} .text C:\Windows\system32\services.exe[648] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb80 6 bytes {JMP QWORD [RIP+0x90a24b0]} .text C:\Windows\system32\services.exe[648] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdd53e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x8f5cfb0]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x8f0f990]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x96af8c0]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x954f7c0]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x962f750]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x95ef710]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x964f670]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x944f600]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x95cf5e0]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x94cf5a0]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x94ef550]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x960f530]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x96ef340]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x940f330]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x93ef230]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x956f160]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x946f120]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x942f0b0]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x94af080]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x948f020]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x966f010]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x96cf000]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x958ec90]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x968ec00]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x95ae390]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x950e310]} .text C:\Windows\system32\lsass.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x952e290]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x8f5cfb0]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x8f0f990]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x96af8c0]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x954f7c0]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x962f750]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x95ef710]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x964f670]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x944f600]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x95cf5e0]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x94cf5a0]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x94ef550]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x960f530]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x96ef340]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x940f330]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x93ef230]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x956f160]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x946f120]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x942f0b0]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x94af080]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x948f020]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x966f010]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x96cf000]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x958ec90]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x968ec00]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x95ae390]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x950e310]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x952e290]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb80 6 bytes {JMP QWORD [RIP+0x90a24b0]} .text C:\Windows\system32\svchost.exe[820] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdd53e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x8f5cfb0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x8f0f990]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x96af8c0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x954f7c0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x962f750]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x95ef710]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x964f670]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x944f600]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x95cf5e0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x94cf5a0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x94ef550]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x960f530]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x96ef340]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x940f330]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x93ef230]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x956f160]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x946f120]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x942f0b0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x94af080]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x948f020]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x966f010]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x96cf000]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x958ec90]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x968ec00]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x95ae390]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x950e310]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x952e290]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x8f5cfb0]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x8f0f990]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x96af8c0]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x954f7c0]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x962f750]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x95ef710]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x964f670]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x944f600]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x95cf5e0]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x94cf5a0]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x94ef550]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x960f530]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x96ef340]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x940f330]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x93ef230]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x956f160]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x946f120]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x942f0b0]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x94af080]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x948f020]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x966f010]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x96cf000]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x958ec90]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x968ec00]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x95ae390]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x950e310]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x952e290]} .text C:\Windows\system32\svchost.exe[356] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[356] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[356] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000012a50a0 6 bytes {JMP QWORD [RIP+0x10af90]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x8f5cfb0]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x8f0f990]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x96af8c0]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x954f7c0]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x962f750]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x95ef710]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x964f670]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x944f600]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x95cf5e0]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x94cf5a0]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x94ef550]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x960f530]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x96ef340]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x940f330]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x93ef230]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x956f160]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x946f120]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x942f0b0]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x94af080]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x948f020]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x966f010]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x96cf000]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x958ec90]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x968ec00]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x95ae390]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x950e310]} .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x952e290]} .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes JMP 8f48f78 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes JMP 8f0f960 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes JMP 638881 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes JMP 6c006c .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x962f750]} .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x95ef710]} .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x964f670]} .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes JMP 2d85c0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x95cf5e0]} .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes JMP b3a5871 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes JMP b3ccbd1 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x960f530]} .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes JMP c67e81 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes JMP 11200 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes JMP a4852a1 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes JMP b394141 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes JMP 9359501 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes JMP 1e2c0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes JMP 450038 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes JMP c80 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x966f010]} .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes JMP a9f881 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes JMP c798c99 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x968ec00]} .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x95ae390]} .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes JMP c799f01 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes JMP b78df29 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb80 6 bytes JMP 88682c8 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[1052] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x8f5cfb0]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x8f0f990]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x96af8c0]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x954f7c0]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x962f750]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x95ef710]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x964f670]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x944f600]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x95cf5e0]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x94cf5a0]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x94ef550]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x960f530]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x96ef340]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x940f330]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x93ef230]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x956f160]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x946f120]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x942f0b0]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x94af080]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x948f020]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x966f010]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x96cf000]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x958ec90]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x968ec00]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x95ae390]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x950e310]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x952e290]} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1080] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000011750a0 6 bytes {JMP QWORD [RIP+0x15af90]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x8f5cfb0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x8f0f990]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x96af8c0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x954f7c0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x962f750]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x95ef710]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x964f670]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x944f600]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x95cf5e0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x94cf5a0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x94ef550]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x960f530]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x96ef340]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x940f330]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x93ef230]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x956f160]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x946f120]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x942f0b0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x94af080]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x948f020]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x966f010]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x96cf000]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x958ec90]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x968ec00]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x95ae390]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x950e310]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x952e290]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb80 6 bytes {JMP QWORD [RIP+0x90a24b0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdd53e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[1112] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000012b50a0 6 bytes {JMP QWORD [RIP+0x3eaf90]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1d22cc 6 bytes {JMP QWORD [RIP+0x27dd64]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!BitBlt 000007feff1d24c0 6 bytes {JMP QWORD [RIP+0x29db70]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff1d5bf0 6 bytes {JMP QWORD [RIP+0x2ba440]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff1d8398 6 bytes {JMP QWORD [RIP+0x237c98]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1d89d8 6 bytes {JMP QWORD [RIP+0x217658]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!GetPixel 000007feff1d9344 6 bytes {JMP QWORD [RIP+0x256cec]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff1db9f8 6 bytes {JMP QWORD [RIP+0x2f4638]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff1dc8e0 6 bytes {JMP QWORD [RIP+0x2d3750]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x8f5cfb0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x8f0f990]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x96af8c0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x954f7c0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x962f750]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x95ef710]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x964f670]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x944f600]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x95cf5e0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x94cf5a0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x94ef550]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x960f530]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x96ef340]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x940f330]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x93ef230]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x956f160]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x946f120]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x942f0b0]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x94af080]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x948f020]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x966f010]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x96cf000]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x958ec90]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x968ec00]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x95ae390]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x950e310]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x952e290]} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdd53e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1d22cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\system32\GDI32.dll!BitBlt 000007feff1d24c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff1d5bf0 6 bytes {JMP QWORD [RIP+0x23a440]} .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff1d8398 6 bytes {JMP QWORD [RIP+0x1a7c98]} .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1d89d8 6 bytes {JMP QWORD [RIP+0x187658]} .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\system32\GDI32.dll!GetPixel 000007feff1d9344 6 bytes {JMP QWORD [RIP+0x1c6cec]} .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff1db9f8 6 bytes {JMP QWORD [RIP+0x274638]} .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff1dc8e0 6 bytes {JMP QWORD [RIP+0x253750]} .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb80 6 bytes {JMP QWORD [RIP+0x90a24b0]} .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1d22cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\GDI32.dll!BitBlt 000007feff1d24c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff1d5bf0 6 bytes {JMP QWORD [RIP+0x23a440]} .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff1d8398 6 bytes {JMP QWORD [RIP+0x1a7c98]} .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1d89d8 6 bytes {JMP QWORD [RIP+0x187658]} .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\GDI32.dll!GetPixel 000007feff1d9344 6 bytes {JMP QWORD [RIP+0x1c6cec]} .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff1db9f8 6 bytes {JMP QWORD [RIP+0x274638]} .text C:\Windows\system32\Dwm.exe[2076] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff1dc8e0 6 bytes {JMP QWORD [RIP+0x253750]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x8f5cfb0]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x8f0f990]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x96af8c0]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x954f7c0]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x962f750]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x95ef710]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x964f670]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x944f600]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x95cf5e0]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x94cf5a0]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x94ef550]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x960f530]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x96ef340]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x940f330]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x93ef230]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x956f160]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x946f120]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x942f0b0]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x94af080]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x948f020]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x966f010]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x96cf000]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x958ec90]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x968ec00]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x95ae390]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x950e310]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x952e290]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb80 6 bytes {JMP QWORD [RIP+0x90a24b0]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1d22cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\GDI32.dll!BitBlt 000007feff1d24c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff1d5bf0 6 bytes {JMP QWORD [RIP+0x23a440]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff1d8398 6 bytes {JMP QWORD [RIP+0x1a7c98]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1d89d8 6 bytes {JMP QWORD [RIP+0x187658]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\GDI32.dll!GetPixel 000007feff1d9344 6 bytes {JMP QWORD [RIP+0x1c6cec]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff1db9f8 6 bytes {JMP QWORD [RIP+0x274638]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff1dc8e0 6 bytes {JMP QWORD [RIP+0x253750]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076ea6ef0 6 bytes {JMP QWORD [RIP+0x94f9140]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076ea8184 6 bytes {JMP QWORD [RIP+0x95d7eac]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SetParent 0000000076ea8530 6 bytes {JMP QWORD [RIP+0x9517b00]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076ea9bcc 6 bytes {JMP QWORD [RIP+0x9276464]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eaa404 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!EnableWindow 0000000076eaaaa0 6 bytes {JMP QWORD [RIP+0x9615590]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!MoveWindow 0000000076eaaad0 6 bytes {JMP QWORD [RIP+0x9535560]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076eac720 6 bytes {JMP QWORD [RIP+0x94d3910]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076eacd50 6 bytes {JMP QWORD [RIP+0x95b32e0]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ead2b0 6 bytes {JMP QWORD [RIP+0x92f2d80]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ead338 6 bytes {JMP QWORD [RIP+0x9332cf8]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076eadc40 6 bytes {JMP QWORD [RIP+0x94123f0]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076eaf510 6 bytes {JMP QWORD [RIP+0x95f0b20]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076eaf874 6 bytes {JMP QWORD [RIP+0x92307bc]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076eafac0 6 bytes {JMP QWORD [RIP+0x9390570]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076eb0b74 6 bytes {JMP QWORD [RIP+0x930f4bc]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076eb33b0 6 bytes {JMP QWORD [RIP+0x928cc80]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076eb4d4d 5 bytes {JMP QWORD [RIP+0x924b2e4]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!GetKeyState 0000000076eb5010 6 bytes {JMP QWORD [RIP+0x94ab020]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076eb5438 6 bytes JMP 93cac00 .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SendMessageW 0000000076eb6b50 6 bytes {JMP QWORD [RIP+0x93494e0]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!PostMessageW 0000000076eb76e4 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ebdd90 6 bytes {JMP QWORD [RIP+0x94422a0]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ebe874 6 bytes {JMP QWORD [RIP+0x95817bc]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ebf780 6 bytes {JMP QWORD [RIP+0x95408b0]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ec28e4 6 bytes {JMP QWORD [RIP+0x93dd74c]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!mouse_event 0000000076ec3894 6 bytes {JMP QWORD [RIP+0x91dc79c]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ec8a10 6 bytes {JMP QWORD [RIP+0x9477620]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ec8be0 6 bytes {JMP QWORD [RIP+0x9357450]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ec8c20 6 bytes {JMP QWORD [RIP+0x91f7410]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SendInput 0000000076ec8cd0 6 bytes {JMP QWORD [RIP+0x9457360]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!BlockInput 0000000076ecad60 6 bytes {JMP QWORD [RIP+0x95552d0]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076ef14e0 6 bytes {JMP QWORD [RIP+0x95eeb50]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!keybd_event 0000000076f145a4 6 bytes {JMP QWORD [RIP+0x916ba8c]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f1cc08 6 bytes JMP 93c3430 .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f1df18 6 bytes {JMP QWORD [RIP+0x9342118]} .text C:\Windows\Explorer.EXE[2088] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefcc850a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3196] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb80 6 bytes {JMP QWORD [RIP+0x90a24b0]} .text C:\Program Files\IDT\WDM\sttray64.exe[3208] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb80 6 bytes {JMP QWORD [RIP+0x90a24b0]} .text C:\Program Files\IDT\WDM\sttray64.exe[3208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes [B5, 6F, 06] .text C:\Program Files\IDT\WDM\sttray64.exe[3208] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes JMP 0 .text C:\Program Files\IDT\WDM\sttray64.exe[3208] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1d22cc 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\sttray64.exe[3208] C:\Windows\system32\GDI32.dll!BitBlt 000007feff1d24c0 6 bytes JMP 340039 .text C:\Program Files\IDT\WDM\sttray64.exe[3208] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff1d5bf0 6 bytes {JMP QWORD [RIP+0x23a440]} .text C:\Program Files\IDT\WDM\sttray64.exe[3208] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff1d8398 6 bytes {JMP QWORD [RIP+0x1a7c98]} .text C:\Program Files\IDT\WDM\sttray64.exe[3208] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1d89d8 6 bytes {JMP QWORD [RIP+0x187658]} .text C:\Program Files\IDT\WDM\sttray64.exe[3208] C:\Windows\system32\GDI32.dll!GetPixel 000007feff1d9344 6 bytes JMP 10001aaf .text C:\Program Files\IDT\WDM\sttray64.exe[3208] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff1db9f8 6 bytes {JMP QWORD [RIP+0x274638]} .text C:\Program Files\IDT\WDM\sttray64.exe[3208] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff1dc8e0 6 bytes {JMP QWORD [RIP+0x253750]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772bfb28 3 bytes JMP 70d0000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000772bfb2c 2 bytes JMP 70d0000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772bfcb4 2 bytes [F0, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772bfd64 3 bytes JMP 70dc000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772bfd68 2 bytes JMP 70dc000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772bfdc8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772bfdcc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772bfec4 2 bytes [D8, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772bff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000772bff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772bffa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772bffa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772c0008 2 bytes [FC, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772c0084 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772c0088 2 bytes [F9, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772c00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772c00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772c03bc 2 bytes [C9, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772c03d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000772c03d4 2 bytes [0E, 71] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772c0550 3 bytes JMP 7112000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772c0554 2 bytes JMP 7112000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772c0698 2 bytes [ED, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000772c06f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000772c06f8 2 bytes [05, 71] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772c079c 3 bytes JMP 710c000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000772c07a0 2 bytes JMP 710c000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772c07e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000772c07e8 2 bytes [FF, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772c0874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000772c0878 2 bytes [02, 71] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772c0890 2 bytes [D5, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772c08a8 2 bytes [CC, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772c0df8 2 bytes [EA, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772c0edc 2 bytes [D2, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772c1be8 2 bytes [E7, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772c1cb8 2 bytes [F6, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772c1d90 2 bytes [F3, 70] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772e3a8e 6 bytes JMP 71a8000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076943bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076943bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000768cf784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000768d2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074cc58b3 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074cc5ea6 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074cc7bcc 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074ccb895 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074ccc332 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074cccbfb 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074cce743 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074cf4857 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076528332 6 bytes JMP 716c000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076528bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765290d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076529679 6 bytes JMP 715a000a .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765297d2 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007652ee09 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007652efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007652efcd 2 bytes [20, 71] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765312a5 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007653291f 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SetParent 0000000076532d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076532d68 2 bytes [2F, 71] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076532da4 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076533698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007653369c 2 bytes [2C, 71] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076533baa 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076533c61 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076536110 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007653612e 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076536c30 6 bytes {JMP QWORD [RIP+0x711d001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076537603 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076537668 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765376e0 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007653781f 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007653835c 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007653c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007653c4ba 2 bytes [29, 71] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007654c112 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007654d0f5 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007654eb96 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007654ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007654ec6c 2 bytes [3B, 71] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SendInput 000000007654ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007654ff4e 2 bytes [3E, 71] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076569f1d 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076571497 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!mouse_event 000000007658027b 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765802bf 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076586cfc 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076586d5d 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076587dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076587ddb 2 bytes [26, 71] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765888eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3740] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000765888ef 2 bytes [32, 71] .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x8f5cfb0]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x8f0f990]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x96af8c0]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x954f7c0]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x962f750]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x95ef710]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x964f670]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x944f600]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x95cf5e0]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x94cf5a0]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x94ef550]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x960f530]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x96ef340]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x940f330]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x93ef230]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x956f160]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x946f120]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x942f0b0]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x94af080]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x948f020]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x966f010]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x96cf000]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x958ec90]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x968ec00]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x95ae390]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x950e310]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x952e290]} .text C:\Windows\system32\svchost.exe[4552] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[4552] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[4552] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000013750a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes CALL 9000027 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4840] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077110730 8 bytes JMP 000000016fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076528332 6 bytes JMP 716c000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076528bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765290d3 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076529679 6 bytes JMP 715a000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765297d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007652ee09 6 bytes JMP 7172000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007652efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007652efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765312a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007653291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SetParent 0000000076532d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076532d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076532da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076533698 3 bytes JMP 712d000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007653369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076533baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076533c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076536110 6 bytes JMP 716f000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007653612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076536c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076537603 6 bytes JMP 7175000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076537668 6 bytes JMP 7148000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765376e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007653781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007653835c 6 bytes JMP 7178000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007653c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007653c4ba 2 bytes [29, 71] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007654c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007654d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007654eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007654ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007654ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SendInput 000000007654ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007654ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076569f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076571497 6 bytes JMP 7115000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!mouse_event 000000007658027b 6 bytes JMP 717b000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765802bf 6 bytes JMP 717e000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076586cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076586d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076587dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076587ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765888eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3528] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000765888ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772bfb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000772bfb2c 2 bytes [CF, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772bfcb4 2 bytes [F0, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772bfd68 2 bytes [DB, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772bfdcc 2 bytes [E1, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772bfec0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772bfec4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772bff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000772bff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772bffa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772bffa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772c0008 2 bytes [FC, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772c0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772c0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772c00b8 2 bytes [DE, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772c03b8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772c03bc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772c03d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000772c03d4 2 bytes [0E, 71] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772c0550 3 bytes JMP 7112000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772c0554 2 bytes JMP 7112000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772c0694 3 bytes JMP 70ee000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772c0698 2 bytes JMP 70ee000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000772c06f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000772c06f8 2 bytes [05, 71] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772c079c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000772c07a0 2 bytes [0B, 71] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772c07e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000772c07e8 2 bytes [FF, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772c0874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000772c0878 2 bytes [02, 71] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772c0890 2 bytes [D5, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772c08a8 2 bytes [CC, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772c0df8 2 bytes [EA, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772c0edc 2 bytes [D2, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772c1be8 2 bytes [E7, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772c1cb8 2 bytes [F6, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772c1d90 2 bytes [F3, 70] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772e3a8e 6 bytes JMP 71a8000a .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076943bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[5096] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076943bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[7956] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb80 6 bytes {JMP QWORD [RIP+0x90a24b0]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[7956] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes CALL 0 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[7956] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes JMP 200073 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[7956] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1d22cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[7956] C:\Windows\system32\GDI32.dll!BitBlt 000007feff1d24c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[7956] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff1d5bf0 6 bytes {JMP QWORD [RIP+0x23a440]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[7956] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff1d8398 6 bytes {JMP QWORD [RIP+0x1a7c98]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[7956] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1d89d8 6 bytes {JMP QWORD [RIP+0x187658]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[7956] C:\Windows\system32\GDI32.dll!GetPixel 000007feff1d9344 6 bytes {JMP QWORD [RIP+0x1c6cec]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[7956] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff1db9f8 6 bytes {JMP QWORD [RIP+0x274638]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[7956] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff1dc8e0 6 bytes {JMP QWORD [RIP+0x253750]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x933cfb0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 0000000077110670 6 bytes {JMP QWORD [RIP+0x900f9c0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x92ef990]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x9e4f8c0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771107d0 6 bytes {JMP QWORD [RIP+0x8fef860]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000771107e0 6 bytes {JMP QWORD [RIP+0x924f850]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x9d3f7c0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x922f750]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x91cf710]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 0000000077110940 6 bytes {JMP QWORD [RIP+0x926f6f0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771109b0 6 bytes {JMP QWORD [RIP+0x908f680]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x9def670]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x906f600]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x91af5e0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x9cbf5a0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x9cdf550]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x920f530]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x8faf340]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x8f8f330]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x8fcf230]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x916f160]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x90af120]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x902f0b0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077110f90 6 bytes {JMP QWORD [RIP+0x91ef0a0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x912f080]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x90ef020]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x9e0f010]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x9e6f000]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 0000000077111090 6 bytes {JMP QWORD [RIP+0x918efa0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x9d6ec90]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x9e2ec00]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077111490 6 bytes {JMP QWORD [RIP+0x92aeba0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771114a0 6 bytes {JMP QWORD [RIP+0x928eb90]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771114d0 6 bytes {JMP QWORD [RIP+0x90ceb60]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077111540 6 bytes {JMP QWORD [RIP+0x904eaf0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077111590 6 bytes {JMP QWORD [RIP+0x910eaa0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 0000000077111aa0 6 bytes {JMP QWORD [RIP+0x914e590]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x9d8e390]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000077111cc0 6 bytes {JMP QWORD [RIP+0x92ce370]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x9cfe310]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x9d1e290]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 0000000076fa62e0 6 bytes {JMP QWORD [RIP+0x9079d50]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000076fb3a20 6 bytes {JMP QWORD [RIP+0x90cc610]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb80 6 bytes {JMP QWORD [RIP+0x98224b0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000770216e0 6 bytes {JMP QWORD [RIP+0x901e950]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd068ef1 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes JMP 650052 .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007feff24687c 6 bytes {JMP QWORD [RIP+0x1e97b4]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007feff248e30 6 bytes {JMP QWORD [RIP+0x267200]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007feff24995c 6 bytes {JMP QWORD [RIP+0x2466d4]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007feff2499e4 6 bytes {JMP QWORD [RIP+0x13664c]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007feff249ac8 6 bytes {JMP QWORD [RIP+0x116568]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007feff24a51c 6 bytes {JMP QWORD [RIP+0x1c5b14]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007feff24a530 6 bytes {JMP QWORD [RIP+0x1a5b00]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007feff24a5b0 5 bytes [FF, 25, 80, 5A, 15] .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007feff24a5c4 6 bytes JMP 272d .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007feff24bb28 6 bytes {JMP QWORD [RIP+0x204508]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007feff24bb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[7336] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007feff24bb40 2 bytes [22, 00] .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdd53e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1d22cc 6 bytes {JMP QWORD [RIP+0x35dd64]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\GDI32.dll!BitBlt 000007feff1d24c0 6 bytes {JMP QWORD [RIP+0x37db70]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff1d5bf0 6 bytes {JMP QWORD [RIP+0x39a440]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff1d8398 6 bytes {JMP QWORD [RIP+0x317c98]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1d89d8 6 bytes {JMP QWORD [RIP+0x2f7658]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\GDI32.dll!GetPixel 000007feff1d9344 6 bytes {JMP QWORD [RIP+0x336cec]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff1db9f8 6 bytes {JMP QWORD [RIP+0x3d4638]} .text C:\Windows\system32\svchost.exe[7336] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff1dc8e0 6 bytes {JMP QWORD [RIP+0x3b3750]} .text C:\Windows\system32\svchost.exe[7336] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000019650a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x933cfb0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 0000000077110670 6 bytes {JMP QWORD [RIP+0x900f9c0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x92ef990]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x9e4f8c0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771107d0 6 bytes {JMP QWORD [RIP+0x8fef860]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000771107e0 6 bytes {JMP QWORD [RIP+0x924f850]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x9d3f7c0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x922f750]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x91cf710]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 0000000077110940 6 bytes {JMP QWORD [RIP+0x926f6f0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771109b0 6 bytes {JMP QWORD [RIP+0x908f680]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x9def670]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x906f600]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x91af5e0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x9cbf5a0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x9cdf550]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x920f530]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x8faf340]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x8f8f330]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x8fcf230]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x916f160]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x90af120]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x902f0b0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077110f90 6 bytes {JMP QWORD [RIP+0x91ef0a0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x912f080]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x90ef020]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x9e0f010]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x9e6f000]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 0000000077111090 6 bytes {JMP QWORD [RIP+0x918efa0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x9d6ec90]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x9e2ec00]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077111490 6 bytes {JMP QWORD [RIP+0x92aeba0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771114a0 6 bytes {JMP QWORD [RIP+0x928eb90]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771114d0 6 bytes {JMP QWORD [RIP+0x90ceb60]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077111540 6 bytes {JMP QWORD [RIP+0x904eaf0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077111590 6 bytes {JMP QWORD [RIP+0x910eaa0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 0000000077111aa0 6 bytes {JMP QWORD [RIP+0x914e590]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x9d8e390]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000077111cc0 6 bytes {JMP QWORD [RIP+0x92ce370]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x9cfe310]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x9d1e290]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 0000000076fa62e0 6 bytes {JMP QWORD [RIP+0x9079d50]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000076fb3a20 6 bytes {JMP QWORD [RIP+0x90cc610]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb80 6 bytes {JMP QWORD [RIP+0x98224b0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000770216e0 6 bytes {JMP QWORD [RIP+0x901e950]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd068ef1 5 bytes {JMP QWORD [RIP+0xb7140]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007feff24687c 6 bytes {JMP QWORD [RIP+0x1e97b4]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007feff248e30 6 bytes {JMP QWORD [RIP+0x267200]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007feff24995c 6 bytes {JMP QWORD [RIP+0x2466d4]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007feff2499e4 6 bytes {JMP QWORD [RIP+0x13664c]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007feff249ac8 6 bytes {JMP QWORD [RIP+0x116568]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007feff24a51c 6 bytes {JMP QWORD [RIP+0x1c5b14]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007feff24a530 6 bytes {JMP QWORD [RIP+0x1a5b00]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007feff24a5b0 5 bytes [FF, 25, 80, 5A, 15] .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007feff24a5c4 6 bytes {JMP QWORD [RIP+0x175a6c]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007feff24bb28 6 bytes {JMP QWORD [RIP+0x204508]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007feff24bb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[4880] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007feff24bb40 2 bytes [22, 00] .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1d22cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\GDI32.dll!BitBlt 000007feff1d24c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff1d5bf0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff1d8398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1d89d8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\GDI32.dll!GetPixel 000007feff1d9344 6 bytes {JMP QWORD [RIP+0x336cec]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff1db9f8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff1dc8e0 6 bytes {JMP QWORD [RIP+0x3b3750]} .text C:\Windows\system32\svchost.exe[4880] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000018e50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\IPHLPAPI.DLL!IcmpCloseHandle 000007fefbf77cc0 6 bytes {JMP QWORD [RIP+0x1b8370]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\IPHLPAPI.DLL!IcmpSendEcho2Ex 000007fefbf77f5c 6 bytes {JMP QWORD [RIP+0x1780d4]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\IPHLPAPI.DLL!IcmpCreateFile 000007fefbf78250 6 bytes {JMP QWORD [RIP+0xf7de0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\IPHLPAPI.DLL!IcmpSendEcho 000007fefbf78340 6 bytes {JMP QWORD [RIP+0x137cf0]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\IPHLPAPI.DLL!IcmpSendEcho2 000007fefbf7839c 6 bytes {JMP QWORD [RIP+0x157c94]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\IPHLPAPI.DLL!Icmp6SendEcho2 000007fefbf79ce0 6 bytes {JMP QWORD [RIP+0x196350]} .text C:\Windows\system32\svchost.exe[4880] C:\Windows\system32\IPHLPAPI.DLL!Icmp6CreateFile 000007fefbf7a030 6 bytes {JMP QWORD [RIP+0x116000]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770e3080 6 bytes {JMP QWORD [RIP+0x8f5cfb0]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771106a0 6 bytes {JMP QWORD [RIP+0x8f0f990]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077110770 6 bytes {JMP QWORD [RIP+0x96af8c0]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077110870 6 bytes {JMP QWORD [RIP+0x954f7c0]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771108e0 6 bytes {JMP QWORD [RIP+0x962f750]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077110920 6 bytes {JMP QWORD [RIP+0x95ef710]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771109c0 6 bytes {JMP QWORD [RIP+0x964f670]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077110a30 6 bytes {JMP QWORD [RIP+0x944f600]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077110a50 6 bytes {JMP QWORD [RIP+0x95cf5e0]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077110a90 6 bytes {JMP QWORD [RIP+0x94cf5a0]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077110ae0 6 bytes {JMP QWORD [RIP+0x94ef550]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077110b00 6 bytes {JMP QWORD [RIP+0x960f530]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077110cf0 6 bytes {JMP QWORD [RIP+0x96ef340]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077110d00 6 bytes {JMP QWORD [RIP+0x940f330]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077110e00 6 bytes {JMP QWORD [RIP+0x93ef230]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077110ed0 6 bytes {JMP QWORD [RIP+0x956f160]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077110f10 6 bytes {JMP QWORD [RIP+0x946f120]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077110f80 6 bytes {JMP QWORD [RIP+0x942f0b0]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077110fb0 6 bytes {JMP QWORD [RIP+0x94af080]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077111010 6 bytes {JMP QWORD [RIP+0x948f020]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077111020 6 bytes {JMP QWORD [RIP+0x966f010]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077111030 6 bytes {JMP QWORD [RIP+0x96cf000]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771113a0 6 bytes {JMP QWORD [RIP+0x958ec90]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077111430 6 bytes {JMP QWORD [RIP+0x968ec00]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077111ca0 6 bytes {JMP QWORD [RIP+0x95ae390]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077111d20 6 bytes {JMP QWORD [RIP+0x950e310]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077111da0 6 bytes {JMP QWORD [RIP+0x952e290]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 0000000076fbdb80 6 bytes {JMP QWORD [RIP+0x90a24b0]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd069055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0753c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\System32\GDI32.dll!DeleteDC 000007feff1d22cc 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\System32\GDI32.dll!BitBlt 000007feff1d24c0 6 bytes {JMP QWORD [RIP+0x21db70]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\System32\GDI32.dll!MaskBlt 000007feff1d5bf0 6 bytes {JMP QWORD [RIP+0x23a440]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\System32\GDI32.dll!CreateDCW 000007feff1d8398 6 bytes {JMP QWORD [RIP+0x1a7c98]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\System32\GDI32.dll!CreateDCA 000007feff1d89d8 6 bytes {JMP QWORD [RIP+0x187658]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\System32\GDI32.dll!GetPixel 000007feff1d9344 6 bytes {JMP QWORD [RIP+0x1c6cec]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\System32\GDI32.dll!StretchBlt 000007feff1db9f8 6 bytes {JMP QWORD [RIP+0x274638]} .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\System32\GDI32.dll!PlgBlt 000007feff1dc8e0 6 bytes {JMP QWORD [RIP+0x253750]} .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772bf9e0 3 bytes JMP 71af000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772bf9e4 2 bytes JMP 71af000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772bfb28 3 bytes JMP 70d0000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000772bfb2c 2 bytes JMP 70d0000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772bfcb0 3 bytes JMP 70f1000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772bfcb4 2 bytes JMP 70f1000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772bfd64 3 bytes JMP 70dc000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772bfd68 2 bytes JMP 70dc000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772bfdc8 3 bytes JMP 70e2000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772bfdcc 2 bytes JMP 70e2000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772bfec0 3 bytes JMP 70d9000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772bfec4 2 bytes JMP 70d9000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772bff74 3 bytes JMP 7109000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000772bff78 2 bytes JMP 7109000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772bffa4 3 bytes JMP 70e5000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772bffa8 2 bytes JMP 70e5000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772c0004 3 bytes JMP 70fd000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772c0008 2 bytes JMP 70fd000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772c0084 3 bytes JMP 70fa000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772c0088 2 bytes JMP 70fa000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772c00b4 3 bytes JMP 70df000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772c00b8 2 bytes JMP 70df000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772c03b8 3 bytes JMP 70ca000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772c03bc 2 bytes JMP 70ca000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772c03d0 3 bytes JMP 710f000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000772c03d4 2 bytes JMP 710f000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772c0550 3 bytes JMP 7112000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772c0554 2 bytes JMP 7112000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772c0694 3 bytes JMP 70ee000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772c0698 2 bytes JMP 70ee000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000772c06f4 3 bytes JMP 7106000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000772c06f8 2 bytes JMP 7106000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772c079c 3 bytes JMP 710c000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000772c07a0 2 bytes JMP 710c000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772c07e4 3 bytes JMP 7100000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000772c07e8 2 bytes JMP 7100000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772c0874 3 bytes JMP 7103000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000772c0878 2 bytes JMP 7103000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772c088c 3 bytes JMP 70d6000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772c0890 2 bytes JMP 70d6000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772c08a4 3 bytes JMP 70cd000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772c08a8 2 bytes JMP 70cd000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772c0df4 3 bytes JMP 70eb000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772c0df8 2 bytes JMP 70eb000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772c0ed8 3 bytes JMP 70d3000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772c0edc 2 bytes JMP 70d3000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772c1be4 3 bytes JMP 70e8000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772c1be8 2 bytes JMP 70e8000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772c1cb4 3 bytes JMP 70f7000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772c1cb8 2 bytes JMP 70f7000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772c1d8c 3 bytes JMP 70f4000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772c1d90 2 bytes JMP 70f4000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772e3a8e 6 bytes JMP 71a8000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076943bbb 3 bytes JMP 719c000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076943bbf 2 bytes JMP 719c000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000769ab2fe 5 bytes JMP 0000000103999220 .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000768cf784 6 bytes JMP 719f000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000768d2c9e 4 bytes CALL 71ac0000 .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076528332 6 bytes JMP 716c000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076528bff 6 bytes JMP 7160000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765290d3 6 bytes JMP 711b000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076529679 6 bytes JMP 715a000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765297d2 6 bytes JMP 7154000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007652ee09 6 bytes JMP 7172000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007652efc9 3 bytes JMP 7121000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007652efcd 2 bytes JMP 7121000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765312a5 6 bytes JMP 7166000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007653291f 6 bytes JMP 7139000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SetParent 0000000076532d64 3 bytes JMP 7130000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076532d68 2 bytes JMP 7130000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076532da4 6 bytes JMP 7118000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076533698 3 bytes JMP 712d000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007653369c 2 bytes JMP 712d000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076533baa 6 bytes JMP 7169000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076533c61 6 bytes JMP 7163000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076536110 6 bytes JMP 716f000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007653612e 6 bytes JMP 715d000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076536c30 6 bytes JMP 711e000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076537603 6 bytes JMP 7175000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076537668 6 bytes JMP 7148000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765376e0 6 bytes JMP 714e000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007653781f 6 bytes JMP 7157000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007653835c 6 bytes JMP 7178000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007653c4b6 3 bytes JMP 712a000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007653c4ba 2 bytes JMP 712a000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007654c112 6 bytes JMP 7145000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007654d0f5 6 bytes JMP 7142000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007654eb96 6 bytes JMP 7136000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007654ec68 3 bytes JMP 713c000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007654ec6c 2 bytes JMP 713c000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SendInput 000000007654ff4a 3 bytes JMP 713f000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007654ff4e 2 bytes JMP 713f000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076569f1d 6 bytes JMP 7124000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076571497 6 bytes JMP 7115000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!mouse_event 000000007658027b 6 bytes JMP 717b000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!keybd_event 00000000765802bf 6 bytes JMP 717e000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076586cfc 6 bytes JMP 7151000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076586d5d 6 bytes JMP 714b000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076587dd7 3 bytes JMP 7127000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076587ddb 2 bytes JMP 7127000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000765888eb 3 bytes JMP 7133000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000765888ef 2 bytes JMP 7133000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074cc58b3 6 bytes JMP 7190000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074cc5ea6 6 bytes JMP 718a000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074cc7bcc 6 bytes JMP 7199000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074ccb895 6 bytes JMP 7181000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074ccc332 6 bytes JMP 7187000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074cccbfb 6 bytes JMP 7193000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074cce743 6 bytes JMP 7196000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074cf4857 6 bytes JMP 7184000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c6124a 6 bytes JMP 718d000a .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076831465 2 bytes [83, 76] .text C:\Users\Lila i Leoś\Desktop\vir\gmer\2i2o41ls.exe[7268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768314bb 2 bytes [83, 76] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\services.exe [648:3592] 0000000001c00050 Thread C:\Windows\system32\services.exe [648:3712] 0000000001c00050 Thread C:\Windows\system32\services.exe [648:2532] 0000000001c00050 Thread C:\Windows\system32\services.exe [648:3716] 0000000001c00050 Thread C:\Windows\system32\svchost.exe [888:940] 0000000001a20050 Thread C:\Windows\system32\svchost.exe [888:944] 0000000001a20050 Thread C:\Windows\system32\svchost.exe [888:948] 0000000001a20050 Thread C:\Windows\system32\svchost.exe [888:952] 0000000001a20050 Thread C:\Windows\system32\svchost.exe [1112:1828] 0000000001c60050 Thread C:\Windows\system32\svchost.exe [1112:1832] 0000000001c60050 Thread C:\Windows\system32\svchost.exe [1112:1836] 0000000001c60050 Thread C:\Windows\system32\svchost.exe [1112:1840] 0000000001c60050 Thread C:\Windows\System32\spoolsv.exe [1864:1308] 0000000002e00050 Thread C:\Windows\System32\spoolsv.exe [1864:1388] 0000000002e00050 Thread C:\Windows\System32\spoolsv.exe [1864:1396] 0000000002e00050 Thread C:\Windows\System32\spoolsv.exe [1864:1392] 0000000002e00050 Thread C:\Windows\system32\svchost.exe [1940:2396] 00000000015b0050 Thread C:\Windows\system32\svchost.exe [1940:2400] 00000000015b0050 Thread C:\Windows\system32\svchost.exe [1940:2404] 00000000015b0050 Thread C:\Windows\system32\svchost.exe [1940:2408] 00000000015b0050 Thread C:\Windows\Explorer.EXE [2088:4732] 0000000004980050 Thread C:\Windows\Explorer.EXE [2088:2692] 0000000004980050 Thread C:\Windows\Explorer.EXE [2088:3268] 0000000004980050 Thread C:\Windows\Explorer.EXE [2088:3788] 0000000004980050 Thread C:\Windows\Explorer.EXE [2088:4200] 000000000499e8b0 Thread C:\Windows\Explorer.EXE [2088:856] 000000000499e8b0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4840:5648] 0000000002210050 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4840:5652] 0000000002210050 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4840:5656] 0000000002210050 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4840:5660] 0000000002210050 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4840:5668] 000000000222e8b0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4840:5680] 000000000222e8b0 Thread C:\Windows\System32\svchost.exe [4268:4756] 0000000001380050 Thread C:\Windows\System32\svchost.exe [4268:4740] 0000000001380050 Thread C:\Windows\System32\svchost.exe [4268:4516] 0000000001380050 Thread C:\Windows\System32\svchost.exe [4268:3764] 0000000001380050 Thread C:\Windows\system32\svchost.exe [4880:3064] 0000000001a10050 Thread C:\Windows\system32\svchost.exe [4880:6516] 0000000001a10050 Thread C:\Windows\system32\svchost.exe [4880:3404] 0000000001a10050 Thread C:\Windows\system32\svchost.exe [4880:4236] 0000000001a10050 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----