GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-15 18:23:47 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T1L0-4 SAMSUNG_HD502HJ rev.1AJ10001 465,76GB Running: krs4fhov.exe; Driver: C:\Users\PeDZeL\AppData\Local\Temp\uwdyipow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800039c1000 19 bytes [44, 4C, 89, 6C, 24, 30, 48, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 548 fffff800039c1014 44 bytes [8B, C6, 44, 8B, C5, 49, 8B, ...] .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88002e28d8c 12 bytes {MOV RAX, 0xfffffa80050ca2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 0 .text C:\Windows\system32\services.exe[568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes JMP 220 .text C:\Windows\system32\services.exe[568] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefede4750 6 bytes JMP 15a090 .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076c17640 6 bytes {JMP QWORD [RIP+0x97c89f0]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076c19554 6 bytes {JMP QWORD [RIP+0x98a6adc]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SetParent 0000000076c19870 6 bytes {JMP QWORD [RIP+0x97e67c0]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076c1c044 6 bytes {JMP QWORD [RIP+0x9543fec]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!PostMessageA 0000000076c1ca54 6 bytes {JMP QWORD [RIP+0x95835dc]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!EnableWindow 0000000076c1d0f0 6 bytes {JMP QWORD [RIP+0x98e2f40]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!MoveWindow 0000000076c1d120 6 bytes {JMP QWORD [RIP+0x9802f10]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076c1f0c4 6 bytes {JMP QWORD [RIP+0x97a0f6c]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076c1f690 6 bytes {JMP QWORD [RIP+0x98809a0]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076c1fc50 6 bytes {JMP QWORD [RIP+0x95c03e0]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SendMessageA 0000000076c1fcd8 6 bytes {JMP QWORD [RIP+0x9600358]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076c203f0 6 bytes {JMP QWORD [RIP+0x96dfc40]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076c21f30 6 bytes {JMP QWORD [RIP+0x98be100]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076c22294 6 bytes {JMP QWORD [RIP+0x94fdd9c]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076c23464 6 bytes {JMP QWORD [RIP+0x95dcbcc]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076c25c34 6 bytes {JMP QWORD [RIP+0x955a3fc]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076c271e9 5 bytes {JMP QWORD [RIP+0x9518e48]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!GetKeyState 0000000076c278c0 6 bytes {JMP QWORD [RIP+0x9778770]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076c28e28 6 bytes {JMP QWORD [RIP+0x9697208]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076c28f9c 6 bytes {JMP QWORD [RIP+0x9657094]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!PostMessageW 0000000076c292d4 6 bytes {JMP QWORD [RIP+0x9596d5c]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SendMessageW 0000000076c2a800 6 bytes {JMP QWORD [RIP+0x9615830]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076c30bf8 6 bytes {JMP QWORD [RIP+0x970f438]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076c31584 6 bytes {JMP QWORD [RIP+0x984eaac]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076c32360 6 bytes {JMP QWORD [RIP+0x980dcd0]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076c35508 6 bytes {JMP QWORD [RIP+0x96aab28]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!mouse_event 0000000076c362c4 6 bytes {JMP QWORD [RIP+0x94a9d6c]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076c391a0 6 bytes {JMP QWORD [RIP+0x9746e90]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076c392e0 6 bytes {JMP QWORD [RIP+0x9626d50]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076c39320 6 bytes {JMP QWORD [RIP+0x94c6d10]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SendInput 0000000076c393d0 6 bytes {JMP QWORD [RIP+0x9726c60]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!BlockInput 0000000076c3b430 6 bytes {JMP QWORD [RIP+0x9824c00]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076c616e0 6 bytes {JMP QWORD [RIP+0x98be950]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!keybd_event 0000000076c84474 6 bytes {JMP QWORD [RIP+0x943bbbc]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076c8cc58 6 bytes {JMP QWORD [RIP+0x96933d8]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076c8dec8 6 bytes {JMP QWORD [RIP+0x9612168]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes JMP 48726573 .text C:\Windows\system32\services.exe[568] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\services.exe[568] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes JMP 0 .text C:\Windows\system32\services.exe[568] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes JMP 940000d8 .text C:\Windows\system32\services.exe[568] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes JMP 30303030 .text C:\Windows\system32\services.exe[568] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes JMP 1 .text C:\Windows\system32\services.exe[568] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes JMP 10002 .text C:\Windows\system32\services.exe[568] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes JMP e3ee60 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefed0a6f0 6 bytes {JMP QWORD [RIP+0x1e5940]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefed30c10 6 bytes {JMP QWORD [RIP+0x1df420]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefede4750 6 bytes {JMP QWORD [RIP+0x14b8e0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefede4750 6 bytes {JMP QWORD [RIP+0x14b8e0]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes JMP 6a87 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes JMP 2000000 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefed0a6f0 6 bytes {JMP QWORD [RIP+0x1e5940]} .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefed30c10 6 bytes {JMP QWORD [RIP+0x1df420]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xf7cac]} .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0xd766c]} .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x1b4648]} .text C:\Windows\system32\atiesrxx.exe[1020] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefed0a6f0 6 bytes JMP 1e5a30 .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefed30c10 6 bytes {JMP QWORD [RIP+0x1df420]} .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes JMP a07681 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes JMP a73c4b1 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes JMP ac89fd9 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes JMP 57004f .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes JMP 4a00741 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes JMP 200054 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes JMP 31cf4b6 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes JMP a8c32f0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes JMP 4a24c81 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes JMP a46c640 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes JMP c2808f0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes JMP 4dff081 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes JMP 6e06371 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes JMP 15850000 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes JMP 769e881 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes JMP 80540c2 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes JMP d070628 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes JMP 9302f30 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes JMP 340042 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes JMP 4a00909 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes JMP 9511190 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefed0a6f0 6 bytes {JMP QWORD [RIP+0x1e5940]} .text C:\Windows\System32\svchost.exe[420] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefed30c10 6 bytes {JMP QWORD [RIP+0x1df420]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefede4750 6 bytes {JMP QWORD [RIP+0x14b8e0]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefed0a6f0 6 bytes {JMP QWORD [RIP+0x1e5940]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefed30c10 6 bytes {JMP QWORD [RIP+0x1df420]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1232] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1232] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1232] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1232] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 40] .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1232] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1232] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1232] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1232] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1232] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1232] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1232] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes JMP 10002 .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1232] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 40] .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xf7cac]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0xd766c]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x1b4648]} .text C:\Windows\system32\atieclxx.exe[1284] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes JMP 750301 .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes JMP 7ed1 .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xf7cac]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0xd766c]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x1b4648]} .text C:\Windows\System32\spoolsv.exe[1592] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x193780]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefede4750 6 bytes {JMP QWORD [RIP+0x14b8e0]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefed0a6f0 6 bytes {JMP QWORD [RIP+0x1e5940]} .text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefed30c10 6 bytes {JMP QWORD [RIP+0x1df420]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xf7cac]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0xd766c]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x1b4648]} .text C:\Windows\system32\taskeng.exe[1832] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x193780]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 40] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes JMP 20006d .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0xd766c]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x1b4648]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1856] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x193780]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f0f9e0 3 bytes JMP 71af000a .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f0f9e4 2 bytes JMP 71af000a .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fcb0 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f0fcb4 2 bytes [F9, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f0fd64 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f0fd68 2 bytes [E4, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f0fdc8 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f0fdcc 2 bytes [EA, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f0fec0 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f0fec4 2 bytes [E1, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f0ffa4 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f0ffa8 2 bytes [ED, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f10004 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f10008 2 bytes [05, 71] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f10084 3 bytes JMP 7103000a .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f10088 2 bytes JMP 7103000a .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f100b4 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f100b8 2 bytes [E7, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f103b8 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f103bc 2 bytes [D5, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f10550 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f10554 2 bytes [08, 71] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f10694 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f10698 2 bytes [F6, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f1088c 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f10890 2 bytes [DE, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f108a4 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f108a8 2 bytes [D8, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f10df4 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f10df8 2 bytes [F3, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f10ed8 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f10edc 2 bytes [DB, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f11be4 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f11be8 2 bytes [F0, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f11cb4 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f11cb8 2 bytes [FF, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f11d8c 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f11d90 2 bytes [FC, 70] .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007664103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076641072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007666c965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007694f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076952c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763e2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text D:\xampp\apache\bin\httpd.exe[1228] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000763e5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes JMP 0 .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f0f9e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f0f9e4 2 bytes [AE, 71] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f0fcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f0fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f0fd68 2 bytes [E4, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f0fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f0fdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f0fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f0fec4 2 bytes [E1, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f0ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f0ffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f10004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f10008 2 bytes [05, 71] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f10084 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f10088 2 bytes [02, 71] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f100b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f100b8 2 bytes [E7, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f103b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f103bc 2 bytes [D5, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f10550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f10554 2 bytes [08, 71] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f10694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f10698 2 bytes [F6, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f1088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f10890 2 bytes [DE, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f108a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f108a8 2 bytes [D8, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f10df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f10df8 2 bytes [F3, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f10ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f10edc 2 bytes [DB, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f11be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f11be8 2 bytes [F0, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f11cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f11cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f11d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f11d90 2 bytes [FC, 70] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe[1676] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f0f9e0 3 bytes JMP 71af000a .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f0f9e4 2 bytes JMP 71af000a .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fcb0 3 bytes [FF, 25, 1E] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f0fcb4 2 bytes [F9, 70] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f0fd64 3 bytes JMP 70e5000a .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f0fd68 2 bytes JMP 70e5000a .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f0fdc8 3 bytes [FF, 25, 1E] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f0fdcc 2 bytes [EA, 70] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f0fec0 3 bytes [FF, 25, 1E] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f0fec4 2 bytes [E1, 70] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f0ffa4 3 bytes [FF, 25, 1E] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f0ffa8 2 bytes [ED, 70] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f10004 3 bytes [FF, 25, 1E] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f10008 2 bytes [05, 71] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f10084 3 bytes JMP 7103000a .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f10088 2 bytes JMP 7103000a .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f100b4 3 bytes JMP 70e8000a .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f100b8 2 bytes JMP 70e8000a .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f103b8 3 bytes JMP 70d6000a .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f103bc 2 bytes JMP 70d6000a .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f10550 3 bytes JMP 7109000a .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f10554 2 bytes JMP 7109000a .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f10694 3 bytes [FF, 25, 1E] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f10698 2 bytes [F6, 70] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f1088c 3 bytes [FF, 25, 1E] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f10890 2 bytes [DE, 70] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f108a4 3 bytes [FF, 25, 1E] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f108a8 2 bytes [D8, 70] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f10df4 3 bytes [FF, 25, 1E] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f10df8 2 bytes [F3, 70] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f10ed8 3 bytes [FF, 25, 1E] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f10edc 2 bytes [DB, 70] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f11be4 3 bytes [FF, 25, 1E] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f11be8 2 bytes [F0, 70] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f11cb4 3 bytes [FF, 25, 1E] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f11cb8 2 bytes [FF, 70] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f11d8c 3 bytes [FF, 25, 1E] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f11d90 2 bytes [FC, 70] .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007664103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076641072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007666c965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007694f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076952c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763e2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Windows\system32\hasplms.exe[2124] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000763e5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f0f9e0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f0f9e4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fcb0 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f0fcb4 2 bytes [F9, 70] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f0fd64 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f0fd68 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f0fdc8 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f0fdcc 2 bytes [EA, 70] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f0fec0 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f0fec4 2 bytes [E1, 70] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f0ffa4 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f0ffa8 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f10004 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f10008 2 bytes [05, 71] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f10084 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f10088 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f100b4 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f100b8 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f103b8 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f103bc 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f10550 3 bytes JMP 7109000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f10554 2 bytes JMP 7109000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f10694 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f10698 2 bytes [F6, 70] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f1088c 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f10890 2 bytes [DE, 70] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f108a4 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f108a8 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f10df4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f10df8 2 bytes [F3, 70] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f10ed8 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f10edc 2 bytes [DB, 70] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f11be4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f11be8 2 bytes [F0, 70] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f11cb4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f11cb8 2 bytes [FF, 70] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f11d8c 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f11d90 2 bytes [FC, 70] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31287 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007664103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076641072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007666c965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007694f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076952c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000074c68b7c 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000074c68e6e 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000074c6cd35 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000074c6d0da 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000074c6d277 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000074c6d27b 2 bytes [17, 71] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074c6f0e6 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074c70f14 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000074c70f9f 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000074c70fa3 2 bytes [11, 71] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000074c72902 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000074c735fb 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000074c735ff 2 bytes [23, 71] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074c73cbf 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000074c73d76 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SetParent 0000000074c73f14 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000074c73f18 2 bytes [26, 71] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000074c73f54 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000074c74858 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000074c7492a 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000074c7492e 2 bytes [32, 71] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074c78364 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000074c7b7e6 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000074c7b7ea 2 bytes [20, 71] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000074c7c991 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074c806b3 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000074c8090f 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000074c82959 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000074c8eef4 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000074c8ef4a 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000074c8f422 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000074c8f9b0 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000074c90f60 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SendInput 0000000074c9195e 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000074c91962 2 bytes [35, 71] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000074ca9f3b 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000074cb15ef 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!mouse_event 0000000074cc040b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!keybd_event 0000000074cc044f 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000074cc6e8c 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000074cc6eed 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!BlockInput 0000000074cc7f67 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000074cc7f6b 2 bytes [1D, 71] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000074cc8a7b 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000074cc8a7f 2 bytes [29, 71] .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763e2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Windows\SysWOW64\svchost.exe[2236] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000763e5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f0f9e0 3 bytes JMP 71af000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f0f9e4 2 bytes JMP 71af000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fcb0 3 bytes JMP 70fa000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f0fcb4 2 bytes JMP 70fa000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f0fd64 3 bytes JMP 70e5000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f0fd68 2 bytes JMP 70e5000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f0fdc8 3 bytes JMP 70eb000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f0fdcc 2 bytes JMP 70eb000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f0fec0 3 bytes JMP 70e2000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f0fec4 2 bytes JMP 70e2000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f0ffa4 3 bytes JMP 70ee000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f0ffa8 2 bytes JMP 70ee000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f10004 3 bytes JMP 7106000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f10008 2 bytes JMP 7106000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f10084 3 bytes JMP 7103000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f10088 2 bytes JMP 7103000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f100b4 3 bytes JMP 70e8000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f100b8 2 bytes JMP 70e8000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f103b8 3 bytes JMP 70d6000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f103bc 2 bytes JMP 70d6000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f10550 3 bytes JMP 7109000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f10554 2 bytes JMP 7109000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f10694 3 bytes JMP 70f7000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f10698 2 bytes JMP 70f7000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f1088c 3 bytes JMP 70df000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f10890 2 bytes JMP 70df000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f108a4 3 bytes JMP 70d9000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f108a8 2 bytes JMP 70d9000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f10df4 3 bytes JMP 70f4000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f10df8 2 bytes JMP 70f4000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f10ed8 3 bytes JMP 70dc000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f10edc 2 bytes JMP 70dc000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f11be4 3 bytes JMP 70f1000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f11be8 2 bytes JMP 70f1000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f11cb4 3 bytes JMP 7100000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f11cb8 2 bytes JMP 7100000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f11d8c 3 bytes JMP 70fd000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f11d90 2 bytes JMP 70fd000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31287 6 bytes JMP 71a8000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007664103d 6 bytes JMP 719c000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076641072 6 bytes JMP 7199000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007666c965 6 bytes JMP 7190000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007694f776 6 bytes JMP 719f000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076952c91 4 bytes CALL 71ac0000 .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000074c68b7c 6 bytes JMP 7163000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000074c68e6e 6 bytes JMP 7157000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000074c6cd35 6 bytes JMP 7151000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000074c6d0da 6 bytes JMP 714b000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000074c6d277 3 bytes JMP 7118000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000074c6d27b 2 bytes JMP 7118000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074c6f0e6 6 bytes JMP 7169000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074c70f14 6 bytes JMP 715d000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000074c70f9f 3 bytes JMP 7112000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000074c70fa3 2 bytes JMP 7112000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000074c72902 6 bytes JMP 7130000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000074c735fb 3 bytes JMP 7124000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000074c735ff 2 bytes JMP 7124000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074c73cbf 6 bytes JMP 7160000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000074c73d76 6 bytes JMP 715a000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SetParent 0000000074c73f14 3 bytes JMP 7127000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000074c73f18 2 bytes JMP 7127000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000074c73f54 6 bytes JMP 710f000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000074c74858 6 bytes JMP 712d000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000074c7492a 3 bytes JMP 7133000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000074c7492e 2 bytes JMP 7133000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074c78364 6 bytes JMP 716f000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000074c7b7e6 3 bytes JMP 7121000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000074c7b7ea 2 bytes JMP 7121000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000074c7c991 6 bytes JMP 713c000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074c806b3 6 bytes JMP 716c000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000074c8090f 6 bytes JMP 7145000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000074c82959 6 bytes JMP 7139000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000074c8eef4 6 bytes JMP 7154000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000074c8ef4a 6 bytes JMP 7166000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000074c8f422 6 bytes JMP 714e000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000074c8f9b0 6 bytes JMP 7115000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000074c90f60 6 bytes JMP 713f000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SendInput 0000000074c9195e 3 bytes JMP 7136000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000074c91962 2 bytes JMP 7136000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000074ca9f3b 6 bytes JMP 711b000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000074cb15ef 6 bytes JMP 710c000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!mouse_event 0000000074cc040b 6 bytes JMP 7172000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!keybd_event 0000000074cc044f 6 bytes JMP 7175000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000074cc6e8c 6 bytes JMP 7148000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000074cc6eed 6 bytes JMP 7142000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!BlockInput 0000000074cc7f67 3 bytes JMP 711e000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000074cc7f6b 2 bytes JMP 711e000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000074cc8a7b 3 bytes JMP 712a000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000074cc8a7f 2 bytes JMP 712a000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761d58b3 6 bytes JMP 7184000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000761d5ea6 6 bytes JMP 7181000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000761d7bcc 6 bytes JMP 718d000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000761db895 6 bytes JMP 7178000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000761dc332 6 bytes JMP 717e000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000761dcbfb 6 bytes JMP 7187000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000761de743 6 bytes JMP 718a000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007620480f 6 bytes JMP 717b000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763e2642 6 bytes JMP 7196000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000763e5429 6 bytes JMP 7193000a .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075121465 2 bytes [12, 75] .text D:\Programy\RocketDock\RocketDock.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751214bb 2 bytes [12, 75] .text ... * 2 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f0f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f0f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f0fcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f0fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f0fd68 2 bytes [E4, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f0fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f0fdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f0fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f0fec4 2 bytes [E1, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f0ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f0ffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f10004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f10008 2 bytes [05, 71] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f10084 3 bytes JMP 7103000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f10088 2 bytes JMP 7103000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f100b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f100b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f103b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f103bc 2 bytes [D5, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f10550 3 bytes JMP 7109000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f10554 2 bytes JMP 7109000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f10694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f10698 2 bytes [F6, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f1088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f10890 2 bytes [DE, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f108a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f108a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f10df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f10df8 2 bytes [F3, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f10ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f10edc 2 bytes [DB, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f11be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f11be8 2 bytes [F0, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f11cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f11cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f11d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f11d90 2 bytes [FC, 70] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007664103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076641072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007666c965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007694f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076952c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000074c68b7c 6 bytes JMP 7163000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000074c68e6e 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000074c6cd35 6 bytes JMP 7151000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000074c6d0da 6 bytes JMP 714b000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000074c6d277 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000074c6d27b 2 bytes [17, 71] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074c6f0e6 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074c70f14 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000074c70f9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000074c70fa3 2 bytes JMP 7112000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000074c72902 6 bytes JMP 7130000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000074c735fb 3 bytes JMP 7124000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000074c735ff 2 bytes JMP 7124000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074c73cbf 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000074c73d76 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SetParent 0000000074c73f14 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000074c73f18 2 bytes [26, 71] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000074c73f54 6 bytes JMP 710f000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000074c74858 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000074c7492a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000074c7492e 2 bytes [32, 71] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074c78364 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000074c7b7e6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000074c7b7ea 2 bytes [20, 71] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000074c7c991 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074c806b3 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000074c8090f 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000074c82959 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000074c8eef4 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000074c8ef4a 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000074c8f422 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000074c8f9b0 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000074c90f60 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SendInput 0000000074c9195e 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000074c91962 2 bytes [35, 71] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000074ca9f3b 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000074cb15ef 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!mouse_event 0000000074cc040b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!keybd_event 0000000074cc044f 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000074cc6e8c 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000074cc6eed 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!BlockInput 0000000074cc7f67 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000074cc7f6b 2 bytes [1D, 71] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000074cc8a7b 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000074cc8a7f 2 bytes [29, 71] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761d58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000761d5ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000761d7bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000761db895 6 bytes JMP 7178000a .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000761dc332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000761dcbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000761de743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007620480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763e2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2512] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000763e5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 40] .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xf7cac]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes JMP 5b20c483 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x1b4648]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2536] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x193780]} .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f0f9e0 3 bytes JMP 71af000a .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f0f9e4 2 bytes JMP 71af000a .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fcb0 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f0fcb4 2 bytes [F9, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f0fd64 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f0fd68 2 bytes [E4, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f0fdc8 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f0fdcc 2 bytes [EA, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f0fec0 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f0fec4 2 bytes [E1, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f0ffa4 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f0ffa8 2 bytes [ED, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f10004 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f10008 2 bytes [05, 71] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f10084 3 bytes JMP 7103000a .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f10088 2 bytes JMP 7103000a .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f100b4 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f100b8 2 bytes [E7, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f103b8 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f103bc 2 bytes [D5, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f10550 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f10554 2 bytes [08, 71] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f10694 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f10698 2 bytes [F6, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f1088c 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f10890 2 bytes [DE, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f108a4 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f108a8 2 bytes [D8, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f10df4 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f10df8 2 bytes [F3, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f10ed8 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f10edc 2 bytes [DB, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f11be4 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f11be8 2 bytes [F0, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f11cb4 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f11cb8 2 bytes [FF, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f11d8c 3 bytes [FF, 25, 1E] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f11d90 2 bytes [FC, 70] .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007664103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076641072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007666c965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007694f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076952c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763e2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text D:\xampp\apache\bin\httpd.exe[2964] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000763e5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes JMP 0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes JMP d64c5b61 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3416] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\System32\svchost.exe[3444] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[3444] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[3444] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\System32\svchost.exe[3444] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\System32\svchost.exe[3444] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\svchost.exe[3444] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\System32\svchost.exe[3444] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\System32\svchost.exe[3444] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\System32\svchost.exe[3444] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\svchost.exe[3444] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\System32\svchost.exe[3444] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefed0a6f0 6 bytes {JMP QWORD [RIP+0x1e5940]} .text C:\Windows\System32\svchost.exe[3444] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefed30c10 6 bytes {JMP QWORD [RIP+0x1df420]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[3492] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[3492] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes JMP 1f0024 .text C:\Windows\System32\svchost.exe[3492] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefed0a6f0 6 bytes {JMP QWORD [RIP+0x1e5940]} .text C:\Windows\System32\svchost.exe[3492] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefed30c10 6 bytes {JMP QWORD [RIP+0x1df420]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[3640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[3640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3640] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3640] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefed0a6f0 6 bytes {JMP QWORD [RIP+0x1e5940]} .text C:\Windows\System32\svchost.exe[3640] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefed30c10 6 bytes {JMP QWORD [RIP+0x1df420]} .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f0f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f0f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f0fcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f0fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f0fd68 2 bytes [E4, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f0fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f0fdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f0fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f0fec4 2 bytes [E1, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f0ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f0ffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f10004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f10008 2 bytes [05, 71] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f10084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f10088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f100b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f100b8 2 bytes [E7, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f103b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f103bc 2 bytes [D5, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f10550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f10554 2 bytes [08, 71] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f10694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f10698 2 bytes [F6, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f1088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f10890 2 bytes [DE, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f108a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f108a8 2 bytes [D8, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f10df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f10df8 2 bytes [F3, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f10ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f10edc 2 bytes [DB, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f11be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f11be8 2 bytes [F0, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f11cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f11cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f11d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f11d90 2 bytes [FC, 70] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007664103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076641072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007666c965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007694f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076952c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763e2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3684] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000763e5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Windows\system32\sppsvc.exe[3756] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\sppsvc.exe[3756] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\sppsvc.exe[3756] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\sppsvc.exe[3756] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\sppsvc.exe[3756] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\sppsvc.exe[3756] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\sppsvc.exe[3756] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\sppsvc.exe[3756] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\sppsvc.exe[3756] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\sppsvc.exe[3756] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[3804] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[3804] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[3804] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 40] .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xf7cac]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0xd766c]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x1b4648]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x193780]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefed0a6f0 6 bytes JMP 610077 .text D:\Programy\AVG TuneUp\TuneUpUtilitiesService64.exe[3872] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefed30c10 6 bytes JMP 4d005c .text C:\Windows\system32\viakaraokesrv.exe[3912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 79000026 .text C:\Windows\system32\viakaraokesrv.exe[3912] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\viakaraokesrv.exe[3912] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\viakaraokesrv.exe[3912] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\viakaraokesrv.exe[3912] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\viakaraokesrv.exe[3912] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\viakaraokesrv.exe[3912] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\viakaraokesrv.exe[3912] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\viakaraokesrv.exe[3912] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\viakaraokesrv.exe[3912] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[4696] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[4696] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[4696] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[4696] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[4696] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4696] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[4696] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[4696] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[4696] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes JMP 177a00 .text C:\Windows\system32\svchost.exe[4696] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4764] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4764] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4764] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4764] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 47] .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 40] .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xf7cac]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0xd766c]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x1b4648]} .text D:\Programy\AVG TuneUp\TuneUpUtilitiesApp64.exe[5000] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes JMP 750301 .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 40] .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xf7cac]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes JMP 780053 .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes JMP 2bc5 .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[4800] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes JMP 1407 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f0f9e0 3 bytes JMP 71af000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f0f9e4 2 bytes JMP 71af000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f0fcb4 2 bytes [F9, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f0fd64 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f0fd68 2 bytes [E4, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f0fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f0fdcc 2 bytes [EA, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f0fec0 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f0fec4 2 bytes [E1, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f0ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f0ffa8 2 bytes [ED, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f10004 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f10008 2 bytes [05, 71] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f10084 3 bytes JMP 7103000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f10088 2 bytes JMP 7103000a .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f100b4 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f100b8 2 bytes [E7, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f103b8 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f103bc 2 bytes [D5, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f10550 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f10554 2 bytes [08, 71] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f10694 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f10698 2 bytes [F6, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f1088c 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f10890 2 bytes [DE, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f108a4 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f108a8 2 bytes [D8, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f10df4 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f10df8 2 bytes [F3, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f10ed8 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f10edc 2 bytes [DB, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f11be4 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f11be8 2 bytes [F0, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f11cb4 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f11cb8 2 bytes [FF, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f11d8c 3 bytes [FF, 25, 1E] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f11d90 2 bytes [FC, 70] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007664103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076641072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007666c965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007694f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076952c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763e2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files\Tablet\Wacom\WacomHost.exe[2700] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000763e5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 3D] .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 43] .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes JMP 20006d .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0xd766c]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x1b4648]} .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5024] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x193780]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 40] .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xf7cac]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0xd766c]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x1b4648]} .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[5032] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x193780]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\system32\KERNEL32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\system32\KERNEL32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 06] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes JMP 0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes JMP 0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes JMP 0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes JMP 0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes JMP 0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5856] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes JMP 1f0024 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f0f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f0f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f0fcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f0fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f0fd68 2 bytes [E4, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f0fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f0fdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f0fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f0fec4 2 bytes [E1, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f0ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f0ffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f10004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f10008 2 bytes [05, 71] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f10084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f10088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f100b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f100b8 2 bytes [E7, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f103b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f103bc 2 bytes [D5, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f10550 3 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f10554 2 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f10694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f10698 2 bytes [F6, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f1088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f10890 2 bytes [DE, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f108a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f108a8 2 bytes [D8, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f10df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f10df8 2 bytes [F3, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f10ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f10edc 2 bytes [DB, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f11be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f11be8 2 bytes [F0, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f11cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f11cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f11d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f11d90 2 bytes [FC, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007664103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076641072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007666c965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007694f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076952c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763e2642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[6516] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000763e5429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text D:\Download\FRST64.exe[7732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text D:\Download\FRST64.exe[7732] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text D:\Download\FRST64.exe[7732] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text D:\Download\FRST64.exe[7732] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text D:\Download\FRST64.exe[7732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes [B5, 6F, 44] .text D:\Download\FRST64.exe[7732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 48] .text D:\Download\FRST64.exe[7732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text D:\Download\FRST64.exe[7732] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text D:\Download\FRST64.exe[7732] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text D:\Download\FRST64.exe[7732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xf7cac]} .text D:\Download\FRST64.exe[7732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0xd766c]} .text D:\Download\FRST64.exe[7732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text D:\Download\FRST64.exe[7732] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x1b4648]} .text D:\Download\FRST64.exe[7732] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x193780]} .text D:\Download\FRST64.exe[7732] C:\Windows\system32\advapi32.DLL!CreateProcessAsUserA 000007fefed0a6f0 6 bytes {JMP QWORD [RIP+0x345940]} .text D:\Download\FRST64.exe[7732] C:\Windows\system32\advapi32.DLL!CreateProcessWithLogonW 000007fefed30c10 6 bytes {JMP QWORD [RIP+0x33f420]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 79000026 .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefed0a6f0 6 bytes {JMP QWORD [RIP+0x1e5940]} .text C:\Windows\system32\DllHost.exe[7692] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefed30c10 6 bytes {JMP QWORD [RIP+0x1df420]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\system32\notepad.exe[7624] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 40] .text C:\Windows\system32\notepad.exe[7624] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes JMP 0 .text C:\Windows\system32\notepad.exe[7624] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes JMP 0 .text C:\Windows\system32\notepad.exe[7624] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x1b4648]} .text C:\Windows\system32\notepad.exe[7624] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x193780]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\system32\notepad.exe[7432] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 40] .text C:\Windows\system32\notepad.exe[7432] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xf7cac]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0xd766c]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text C:\Windows\system32\notepad.exe[7432] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes JMP 0 .text C:\Windows\system32\notepad.exe[7432] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x193780]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\system32\notepad.exe[7368] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes JMP 4d68636d .text C:\Windows\system32\notepad.exe[7368] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xf7cac]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0xd766c]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes {JMP QWORD [RIP+0x1b4648]} .text C:\Windows\system32\notepad.exe[7368] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes {JMP QWORD [RIP+0x193780]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33b10 6 bytes {JMP QWORD [RIP+0x930c520]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d613a0 6 bytes {JMP QWORD [RIP+0x92bec90]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d61570 6 bytes {JMP QWORD [RIP+0x987eac0]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d615e0 6 bytes {JMP QWORD [RIP+0x995ea50]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61620 6 bytes {JMP QWORD [RIP+0x991ea10]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076d616c0 6 bytes {JMP QWORD [RIP+0x997e970]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d61750 6 bytes {JMP QWORD [RIP+0x98fe8e0]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d61790 6 bytes {JMP QWORD [RIP+0x97fe8a0]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d617e0 6 bytes {JMP QWORD [RIP+0x981e850]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61800 6 bytes {JMP QWORD [RIP+0x993e830]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076d619f0 6 bytes {JMP QWORD [RIP+0x99fe640]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076d61bd0 6 bytes {JMP QWORD [RIP+0x989e460]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076d61d20 6 bytes {JMP QWORD [RIP+0x999e310]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d30 6 bytes {JMP QWORD [RIP+0x99de300]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d620a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076d62130 6 bytes {JMP QWORD [RIP+0x99bdf00]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d629a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a20 6 bytes {JMP QWORD [RIP+0x983d610]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62aa0 6 bytes {JMP QWORD [RIP+0x985d590]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076afa420 6 bytes {JMP QWORD [RIP+0x95a5c10]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076b11b50 6 bytes {JMP QWORD [RIP+0x954e4e0]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076b88810 6 bytes {JMP QWORD [RIP+0x94f7820]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce79055 3 bytes CALL 9000027 .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefb22d0 6 bytes {JMP QWORD [RIP+0x13dd60]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\system32\GDI32.dll!BitBlt 000007fefefb24b8 6 bytes {JMP QWORD [RIP+0x15db78]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefefb5be0 6 bytes {JMP QWORD [RIP+0x17a450]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefb8384 6 bytes {JMP QWORD [RIP+0xf7cac]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefb89c4 6 bytes {JMP QWORD [RIP+0xd766c]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefb933c 6 bytes {JMP QWORD [RIP+0x116cf4]} .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefefbb9e8 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[7428] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefefbc8b0 6 bytes JMP 0 .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f0f9e0 3 bytes JMP 71af000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f0f9e4 2 bytes JMP 71af000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fcb0 3 bytes JMP 70fa000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f0fcb4 2 bytes JMP 70fa000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f0fd64 3 bytes JMP 70e5000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f0fd68 2 bytes JMP 70e5000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f0fdc8 3 bytes JMP 70eb000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f0fdcc 2 bytes JMP 70eb000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f0fec0 3 bytes JMP 70e2000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f0fec4 2 bytes JMP 70e2000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f0ffa4 3 bytes JMP 70ee000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f0ffa8 2 bytes JMP 70ee000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f10004 3 bytes JMP 7106000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f10008 2 bytes JMP 7106000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f10084 3 bytes JMP 7103000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f10088 2 bytes JMP 7103000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f100b4 3 bytes JMP 70e8000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f100b8 2 bytes JMP 70e8000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f103b8 3 bytes JMP 70d6000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f103bc 2 bytes JMP 70d6000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f10550 3 bytes JMP 7109000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f10554 2 bytes JMP 7109000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f10694 3 bytes JMP 70f7000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f10698 2 bytes JMP 70f7000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f1088c 3 bytes JMP 70df000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f10890 2 bytes JMP 70df000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f108a4 3 bytes JMP 70d9000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f108a8 2 bytes JMP 70d9000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f10df4 3 bytes JMP 70f4000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f10df8 2 bytes JMP 70f4000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f10ed8 3 bytes JMP 70dc000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f10edc 2 bytes JMP 70dc000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f11be4 3 bytes JMP 70f1000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f11be8 2 bytes JMP 70f1000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f11cb4 3 bytes JMP 7100000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f11cb8 2 bytes JMP 7100000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f11d8c 3 bytes JMP 70fd000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f11d90 2 bytes JMP 70fd000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31287 6 bytes JMP 71a8000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007664103d 6 bytes JMP 719c000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076641072 6 bytes JMP 7199000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007666c965 6 bytes JMP 7190000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007694f776 6 bytes JMP 719f000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076952c91 4 bytes CALL 71ac0000 .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000074c68b7c 6 bytes JMP 7163000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000074c68e6e 6 bytes JMP 7157000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000074c6cd35 6 bytes JMP 7151000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000074c6d0da 6 bytes JMP 714b000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000074c6d277 3 bytes JMP 7118000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000074c6d27b 2 bytes JMP 7118000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074c6f0e6 6 bytes JMP 7169000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074c70f14 6 bytes JMP 715d000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000074c70f9f 3 bytes JMP 7112000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000074c70fa3 2 bytes JMP 7112000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000074c72902 6 bytes JMP 7130000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000074c735fb 3 bytes JMP 7124000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000074c735ff 2 bytes JMP 7124000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074c73cbf 6 bytes JMP 7160000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000074c73d76 6 bytes JMP 715a000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SetParent 0000000074c73f14 3 bytes JMP 7127000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000074c73f18 2 bytes JMP 7127000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000074c73f54 6 bytes JMP 710f000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000074c74858 6 bytes JMP 712d000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000074c7492a 3 bytes JMP 7133000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000074c7492e 2 bytes JMP 7133000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074c78364 6 bytes JMP 716f000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000074c7b7e6 3 bytes JMP 7121000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000074c7b7ea 2 bytes JMP 7121000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000074c7c991 6 bytes JMP 713c000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074c806b3 6 bytes JMP 716c000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000074c8090f 6 bytes JMP 7145000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000074c82959 6 bytes JMP 7139000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000074c8eef4 6 bytes JMP 7154000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000074c8ef4a 6 bytes JMP 7166000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000074c8f422 6 bytes JMP 714e000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000074c8f9b0 6 bytes JMP 7115000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000074c90f60 6 bytes JMP 713f000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SendInput 0000000074c9195e 3 bytes JMP 7136000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000074c91962 2 bytes JMP 7136000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000074ca9f3b 6 bytes JMP 711b000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000074cb15ef 6 bytes JMP 710c000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!mouse_event 0000000074cc040b 6 bytes JMP 7172000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!keybd_event 0000000074cc044f 6 bytes JMP 7175000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000074cc6e8c 6 bytes JMP 7148000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000074cc6eed 6 bytes JMP 7142000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!BlockInput 0000000074cc7f67 3 bytes JMP 711e000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000074cc7f6b 2 bytes JMP 711e000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000074cc8a7b 3 bytes JMP 712a000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000074cc8a7f 2 bytes JMP 712a000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761d58b3 6 bytes JMP 7184000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000761d5ea6 6 bytes JMP 7181000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000761d7bcc 6 bytes JMP 718d000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000761db895 6 bytes JMP 7178000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000761dc332 6 bytes JMP 717e000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000761dcbfb 6 bytes JMP 7187000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000761de743 6 bytes JMP 718a000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007620480f 6 bytes JMP 717b000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763e2642 6 bytes JMP 7196000a .text D:\Download\krs4fhov.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000763e5429 6 bytes JMP 7193000a ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001081f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001081cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800108269c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001082a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010828f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa80040082c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80040082c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 fffffa80040082c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-4 fffffa80040082c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80040082c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80040082c0 Device \Driver\ayzu525d \Device\Scsi\ayzu525d1 fffffa80053402c0 Device \FileSystem\Ntfs \Ntfs fffffa800400c2c0 Device \FileSystem\fastfat \Fat fffffa80076362c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D611A404-78E5-4463-B2D4-78168B247BB0} fffffa80049712c0 Device \Driver\usbehci \Device\USBPDO-5 fffffa80052592c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa80052572c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa80052572c0 Device \Driver\cdrom \Device\CdRom0 fffffa80049262c0 Device \Driver\dtsoftbus01 \Device\00000080 fffffa80045fd2c0 Device \Driver\cdrom \Device\CdRom1 fffffa80049262c0 Device \Driver\usbohci \Device\USBPDO-6 fffffa80052572c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa80052572c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80052572c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa80052592c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa80045fd2c0 Device \Driver\usbehci \Device\USBFDO-5 fffffa80052592c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa80052572c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa80052572c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80049712c0 Device \Driver\usbohci \Device\USBFDO-6 fffffa80052572c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa80052572c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80040082c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa80052592c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80052572c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80040082c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80040082c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80040082c0 Device \Driver\ayzu525d \Device\ScsiPort4 fffffa80053402c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80040082c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80040082c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80045e8060] fffffa80045e8060 Trace 3 CLASSPNP.SYS[fffff88001a6143f] -> nt!IofCallDriver -> [0xfffffa80045eb580] fffffa80045eb580 Trace 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T1L0-4[0xfffffa80045f7060] fffffa80045f7060 Trace \Driver\atapi[0xfffffa80040b1ab0] -> IRP_MJ_CREATE -> 0xfffffa80040082c0 fffffa80040082c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\ayzu525d.SYS fffff88006da9000-fffff88006dfa000 (331776 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\DllHost.exe [7692:6232] 000007feea385170 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x60 0x25 0xF6 0xD4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDA 0xF2 0x1E 0x94 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBB 0x22 0x68 0x3C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x60 0x25 0xF6 0xD4 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDA 0xF2 0x1E 0x94 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBB 0x22 0x68 0x3C ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro\Data@UpdateBin.{A6D52E4F-569B-4756-B3D8-DF217313DA85} 0x80 0x67 0x24 0x53 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@SIGN.MEDIA=5BA16879 Repack by X-pack\x2122.exe 1 ---- EOF - GMER 2.1 ----