GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-09 12:57:50 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9320325AS rev.0002SDM1 298,09GB Running: ky0niblv.exe; Driver: C:\Users\ikaaa\AppData\Local\Temp\fwddakog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033a2000 45 bytes [00, 00, 0A, 02, 4D, 75, 74, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800033a202f 16 bytes [00, 01, 00, 00, 00, 00, 00, ...] .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88005905d8c 12 bytes {MOV RAX, 0xfffffa8004dc72a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077811360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077811560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes {JMP QWORD [RIP+0x885c520]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes {JMP QWORD [RIP+0x880ec90]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes {JMP QWORD [RIP+0x8dceac0]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes {JMP QWORD [RIP+0x8eaea50]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes {JMP QWORD [RIP+0x8e6ea10]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes {JMP QWORD [RIP+0x8ece970]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes {JMP QWORD [RIP+0x8e4e8e0]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes {JMP QWORD [RIP+0x8d4e8a0]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes {JMP QWORD [RIP+0x8d6e850]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes {JMP QWORD [RIP+0x8e8e830]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes {JMP QWORD [RIP+0x8f4e640]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes {JMP QWORD [RIP+0x8d2e530]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes {JMP QWORD [RIP+0x8dee460]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes {JMP QWORD [RIP+0x8eee310]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes {JMP QWORD [RIP+0x8f2e300]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes {JMP QWORD [RIP+0x8e0df90]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes {JMP QWORD [RIP+0x8f0df00]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes {JMP QWORD [RIP+0x8e2d690]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes {JMP QWORD [RIP+0x8d8d610]} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes {JMP QWORD [RIP+0x8dad590]} .text C:\Windows\system32\services.exe[540] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd2750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes {JMP QWORD [RIP+0x885c520]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes {JMP QWORD [RIP+0x880ec90]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes {JMP QWORD [RIP+0x8dceac0]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes {JMP QWORD [RIP+0x8eaea50]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes {JMP QWORD [RIP+0x8e6ea10]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes {JMP QWORD [RIP+0x8ece970]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes {JMP QWORD [RIP+0x8e4e8e0]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes {JMP QWORD [RIP+0x8d4e8a0]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes {JMP QWORD [RIP+0x8d6e850]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes {JMP QWORD [RIP+0x8e8e830]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes {JMP QWORD [RIP+0x8f4e640]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes {JMP QWORD [RIP+0x8d2e530]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes {JMP QWORD [RIP+0x8dee460]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes {JMP QWORD [RIP+0x8eee310]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes {JMP QWORD [RIP+0x8f2e300]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes {JMP QWORD [RIP+0x8e0df90]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes {JMP QWORD [RIP+0x8f0df00]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes {JMP QWORD [RIP+0x8e2d690]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes {JMP QWORD [RIP+0x8d8d610]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes {JMP QWORD [RIP+0x8dad590]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd739055 3 bytes CALL 0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7453c0 5 bytes JMP 4e004f .text C:\Windows\system32\lsass.exe[556] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefef9a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\lsass.exe[556] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefefc0c10 6 bytes JMP 2e0 .text C:\Windows\system32\lsm.exe[564] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd2750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes {JMP QWORD [RIP+0x885c520]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes {JMP QWORD [RIP+0x880ec90]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes {JMP QWORD [RIP+0x8dceac0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes {JMP QWORD [RIP+0x8eaea50]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes {JMP QWORD [RIP+0x8e6ea10]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes {JMP QWORD [RIP+0x8ece970]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes {JMP QWORD [RIP+0x8e4e8e0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes {JMP QWORD [RIP+0x8d4e8a0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes {JMP QWORD [RIP+0x8d6e850]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes {JMP QWORD [RIP+0x8e8e830]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes {JMP QWORD [RIP+0x8f4e640]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes {JMP QWORD [RIP+0x8d2e530]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes {JMP QWORD [RIP+0x8dee460]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes {JMP QWORD [RIP+0x8eee310]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes {JMP QWORD [RIP+0x8f2e300]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes {JMP QWORD [RIP+0x8e0df90]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes {JMP QWORD [RIP+0x8f0df00]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes {JMP QWORD [RIP+0x8e2d690]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes {JMP QWORD [RIP+0x8d8d610]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes {JMP QWORD [RIP+0x8dad590]} .text C:\Windows\system32\svchost.exe[732] c:\windows\system32\SspiCli.dll!EncryptMessage 000007fefd2750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes {JMP QWORD [RIP+0x885c520]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes {JMP QWORD [RIP+0x880ec90]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes {JMP QWORD [RIP+0x8dceac0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes {JMP QWORD [RIP+0x8eaea50]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes {JMP QWORD [RIP+0x8e6ea10]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes {JMP QWORD [RIP+0x8ece970]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes {JMP QWORD [RIP+0x8e4e8e0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes {JMP QWORD [RIP+0x8d4e8a0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes {JMP QWORD [RIP+0x8d6e850]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes {JMP QWORD [RIP+0x8e8e830]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes {JMP QWORD [RIP+0x8f4e640]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes {JMP QWORD [RIP+0x8d2e530]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes {JMP QWORD [RIP+0x8dee460]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes {JMP QWORD [RIP+0x8eee310]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes {JMP QWORD [RIP+0x8f2e300]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes {JMP QWORD [RIP+0x8e0df90]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes {JMP QWORD [RIP+0x8f0df00]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes {JMP QWORD [RIP+0x8e2d690]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes {JMP QWORD [RIP+0x8d8d610]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes {JMP QWORD [RIP+0x8dad590]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd739055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes JMP 59835983 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes JMP 5fc8470 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes JMP 4c66151 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes JMP 400600 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes JMP ab11f91 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes JMP 8eced28 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes JMP 80e79e9 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes JMP 8d68ee8 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes JMP 8e8e818 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes JMP 410046 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes JMP 21a00 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes JMP c00600 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes JMP f0c0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes JMP 49004b .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes JMP 8e0e168 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes JMP 758ad00 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes JMP 1b90c0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes JMP 1cedfc0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes JMP 2325c0 .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775a98e0 6 bytes JMP 8cfd351 .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775c0650 6 bytes JMP 8a9f9b8 .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007763acf0 6 bytes JMP 1012f26 .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd739055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefef9a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\System32\svchost.exe[356] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefefc0c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes {JMP QWORD [RIP+0x885c520]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes {JMP QWORD [RIP+0x880ec90]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes {JMP QWORD [RIP+0x8dceac0]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes {JMP QWORD [RIP+0x8eaea50]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes {JMP QWORD [RIP+0x8e6ea10]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes {JMP QWORD [RIP+0x8ece970]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes {JMP QWORD [RIP+0x8e4e8e0]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes {JMP QWORD [RIP+0x8d4e8a0]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes {JMP QWORD [RIP+0x8d6e850]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes {JMP QWORD [RIP+0x8e8e830]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes {JMP QWORD [RIP+0x8f4e640]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes {JMP QWORD [RIP+0x8d2e530]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes {JMP QWORD [RIP+0x8dee460]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes {JMP QWORD [RIP+0x8eee310]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes {JMP QWORD [RIP+0x8f2e300]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes {JMP QWORD [RIP+0x8e0df90]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes {JMP QWORD [RIP+0x8f0df00]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes {JMP QWORD [RIP+0x8e2d690]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes {JMP QWORD [RIP+0x8d8d610]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes {JMP QWORD [RIP+0x8dad590]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd739055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes {JMP QWORD [RIP+0x885c520]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes {JMP QWORD [RIP+0x880ec90]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes {JMP QWORD [RIP+0x8dceac0]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes {JMP QWORD [RIP+0x8eaea50]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes {JMP QWORD [RIP+0x8e6ea10]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes {JMP QWORD [RIP+0x8ece970]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes {JMP QWORD [RIP+0x8e4e8e0]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes {JMP QWORD [RIP+0x8d4e8a0]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes {JMP QWORD [RIP+0x8d6e850]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes {JMP QWORD [RIP+0x8e8e830]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes {JMP QWORD [RIP+0x8f4e640]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes {JMP QWORD [RIP+0x8d2e530]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes {JMP QWORD [RIP+0x8dee460]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes {JMP QWORD [RIP+0x8eee310]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes {JMP QWORD [RIP+0x8f2e300]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes {JMP QWORD [RIP+0x8e0df90]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes {JMP QWORD [RIP+0x8f0df00]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes {JMP QWORD [RIP+0x8e2d690]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes {JMP QWORD [RIP+0x8d8d610]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes {JMP QWORD [RIP+0x8dad590]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775a98e0 6 bytes {JMP QWORD [RIP+0x8af6750]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775c0650 6 bytes {JMP QWORD [RIP+0x8a9f9e0]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007763acf0 6 bytes {JMP QWORD [RIP+0x8a45340]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd739055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[484] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdf74750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefef9a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[484] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefefc0c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes {JMP QWORD [RIP+0x885c520]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes {JMP QWORD [RIP+0x880ec90]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes {JMP QWORD [RIP+0x8dceac0]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes {JMP QWORD [RIP+0x8eaea50]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes {JMP QWORD [RIP+0x8e6ea10]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes {JMP QWORD [RIP+0x8ece970]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes {JMP QWORD [RIP+0x8e4e8e0]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes {JMP QWORD [RIP+0x8d4e8a0]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes {JMP QWORD [RIP+0x8d6e850]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes {JMP QWORD [RIP+0x8e8e830]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes {JMP QWORD [RIP+0x8f4e640]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes {JMP QWORD [RIP+0x8d2e530]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes {JMP QWORD [RIP+0x8dee460]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes {JMP QWORD [RIP+0x8eee310]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes {JMP QWORD [RIP+0x8f2e300]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes {JMP QWORD [RIP+0x8e0df90]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes {JMP QWORD [RIP+0x8f0df00]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes {JMP QWORD [RIP+0x8e2d690]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes {JMP QWORD [RIP+0x8d8d610]} .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes {JMP QWORD [RIP+0x8dad590]} .text C:\Windows\system32\atieclxx.exe[1224] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9722d0 6 bytes {JMP QWORD [RIP+0x19dd60]} .text C:\Windows\system32\atieclxx.exe[1224] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9724b8 6 bytes {JMP QWORD [RIP+0x1bdb78]} .text C:\Windows\system32\atieclxx.exe[1224] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff975be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\atieclxx.exe[1224] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff978384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\atieclxx.exe[1224] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9789c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\atieclxx.exe[1224] C:\Windows\system32\GDI32.dll!GetPixel 000007feff97933c 6 bytes {JMP QWORD [RIP+0x176cf4]} .text C:\Windows\system32\atieclxx.exe[1224] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff97b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\atieclxx.exe[1224] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff97c8b0 6 bytes {JMP QWORD [RIP+0x1f3780]} .text C:\Windows\system32\atieclxx.exe[1224] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd2750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes {JMP QWORD [RIP+0x885c520]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes {JMP QWORD [RIP+0x880ec90]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes {JMP QWORD [RIP+0x8dceac0]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes {JMP QWORD [RIP+0x8eaea50]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes {JMP QWORD [RIP+0x8e6ea10]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes {JMP QWORD [RIP+0x8ece970]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes {JMP QWORD [RIP+0x8e4e8e0]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes {JMP QWORD [RIP+0x8d4e8a0]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes {JMP QWORD [RIP+0x8d6e850]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes {JMP QWORD [RIP+0x8e8e830]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes {JMP QWORD [RIP+0x8f4e640]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes {JMP QWORD [RIP+0x8d2e530]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes {JMP QWORD [RIP+0x8dee460]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes {JMP QWORD [RIP+0x8eee310]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes {JMP QWORD [RIP+0x8f2e300]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes {JMP QWORD [RIP+0x8e0df90]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes {JMP QWORD [RIP+0x8f0df00]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes {JMP QWORD [RIP+0x8e2d690]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes {JMP QWORD [RIP+0x8d8d610]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes {JMP QWORD [RIP+0x8dad590]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd739055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdf74750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1476] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd2750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes {JMP QWORD [RIP+0x885c520]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes {JMP QWORD [RIP+0x880ec90]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes {JMP QWORD [RIP+0x8dceac0]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes {JMP QWORD [RIP+0x8eaea50]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes {JMP QWORD [RIP+0x8e6ea10]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes {JMP QWORD [RIP+0x8ece970]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes {JMP QWORD [RIP+0x8e4e8e0]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes {JMP QWORD [RIP+0x8d4e8a0]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes {JMP QWORD [RIP+0x8d6e850]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes {JMP QWORD [RIP+0x8e8e830]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes {JMP QWORD [RIP+0x8d2e530]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes {JMP QWORD [RIP+0x8dee460]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes {JMP QWORD [RIP+0x8eee310]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes {JMP QWORD [RIP+0x8f2e300]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes {JMP QWORD [RIP+0x8e0df90]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes {JMP QWORD [RIP+0x8f0df00]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes {JMP QWORD [RIP+0x8e2d690]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes {JMP QWORD [RIP+0x8d8d610]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes {JMP QWORD [RIP+0x8dad590]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd739055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9722d0 6 bytes {JMP QWORD [RIP+0x19dd60]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9724b8 6 bytes {JMP QWORD [RIP+0x1bdb78]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff975be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff978384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9789c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\system32\GDI32.dll!GetPixel 000007feff97933c 6 bytes {JMP QWORD [RIP+0x176cf4]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff97b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\Dwm.exe[1844] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff97c8b0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes {JMP QWORD [RIP+0x885c520]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes {JMP QWORD [RIP+0x880ec90]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes {JMP QWORD [RIP+0x8eaea50]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes {JMP QWORD [RIP+0x8e6ea10]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes {JMP QWORD [RIP+0x8ece970]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes {JMP QWORD [RIP+0x8e4e8e0]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes {JMP QWORD [RIP+0x8d6e850]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes {JMP QWORD [RIP+0x8e8e830]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes {JMP QWORD [RIP+0x8f4e640]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes {JMP QWORD [RIP+0x8d2e530]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes {JMP QWORD [RIP+0x8dee460]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes {JMP QWORD [RIP+0x8eee310]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes {JMP QWORD [RIP+0x8f2e300]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes {JMP QWORD [RIP+0x8e0df90]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes {JMP QWORD [RIP+0x8f0df00]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes {JMP QWORD [RIP+0x8e2d690]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes {JMP QWORD [RIP+0x8d8d610]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes {JMP QWORD [RIP+0x8dad590]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775a98e0 6 bytes {JMP QWORD [RIP+0x8af6750]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775c0650 6 bytes {JMP QWORD [RIP+0x8a9f9e0]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007763acf0 6 bytes {JMP QWORD [RIP+0x8a45340]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd739055 3 bytes CALL 0 .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7453c0 5 bytes JMP 0 .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9722d0 6 bytes {JMP QWORD [RIP+0x19dd60]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9724b8 6 bytes {JMP QWORD [RIP+0x1bdb78]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff975be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff978384 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9789c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\GDI32.dll!GetPixel 000007feff97933c 6 bytes JMP 530031 .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff97b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff97c8b0 6 bytes {JMP QWORD [RIP+0x1f3780]} .text C:\Windows\Explorer.EXE[1920] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd2750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[1956] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd2750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes {JMP QWORD [RIP+0x885c520]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes {JMP QWORD [RIP+0x880ec90]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes {JMP QWORD [RIP+0x8dceac0]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes {JMP QWORD [RIP+0x8eaea50]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes {JMP QWORD [RIP+0x8e6ea10]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes {JMP QWORD [RIP+0x8ece970]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes {JMP QWORD [RIP+0x8e4e8e0]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes {JMP QWORD [RIP+0x8d4e8a0]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes {JMP QWORD [RIP+0x8d6e850]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes {JMP QWORD [RIP+0x8e8e830]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes {JMP QWORD [RIP+0x8f4e640]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes {JMP QWORD [RIP+0x8d2e530]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes {JMP QWORD [RIP+0x8dee460]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes {JMP QWORD [RIP+0x8eee310]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes {JMP QWORD [RIP+0x8f2e300]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes {JMP QWORD [RIP+0x8e0df90]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes {JMP QWORD [RIP+0x8f0df00]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes {JMP QWORD [RIP+0x8e2d690]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes {JMP QWORD [RIP+0x8d8d610]} .text C:\Windows\System32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes {JMP QWORD [RIP+0x8dad590]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes JMP 2 .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes {JMP QWORD [RIP+0x880ec90]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes {JMP QWORD [RIP+0x8dceac0]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes {JMP QWORD [RIP+0x8eaea50]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes {JMP QWORD [RIP+0x8e6ea10]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes {JMP QWORD [RIP+0x8ece970]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes {JMP QWORD [RIP+0x8e4e8e0]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes {JMP QWORD [RIP+0x8d4e8a0]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes {JMP QWORD [RIP+0x8d6e850]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes {JMP QWORD [RIP+0x8e8e830]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes {JMP QWORD [RIP+0x8f4e640]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes {JMP QWORD [RIP+0x8d2e530]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes {JMP QWORD [RIP+0x8dee460]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes {JMP QWORD [RIP+0x8eee310]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes {JMP QWORD [RIP+0x8f2e300]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes {JMP QWORD [RIP+0x8e0df90]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes {JMP QWORD [RIP+0x8f0df00]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes {JMP QWORD [RIP+0x8e2d690]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes {JMP QWORD [RIP+0x8d8d610]} .text C:\Windows\system32\SearchIndexer.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes {JMP QWORD [RIP+0x8dad590]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3276] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd739055 3 bytes [B5, 6F, 06] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3276] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd739055 3 bytes [B5, 6F, 06] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777e3b10 6 bytes {JMP QWORD [RIP+0x885c520]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778113a0 6 bytes {JMP QWORD [RIP+0x880ec90]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077811570 6 bytes {JMP QWORD [RIP+0x8dceac0]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778115e0 6 bytes {JMP QWORD [RIP+0x8eaea50]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077811620 6 bytes {JMP QWORD [RIP+0x8e6ea10]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778116c0 6 bytes {JMP QWORD [RIP+0x8ece970]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077811750 6 bytes {JMP QWORD [RIP+0x8e4e8e0]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077811790 6 bytes {JMP QWORD [RIP+0x8d4e8a0]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778117e0 6 bytes {JMP QWORD [RIP+0x8d6e850]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 6 bytes {JMP QWORD [RIP+0x8e8e830]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778119f0 6 bytes {JMP QWORD [RIP+0x8f4e640]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077811b00 6 bytes {JMP QWORD [RIP+0x8d2e530]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077811bd0 6 bytes {JMP QWORD [RIP+0x8dee460]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077811d20 6 bytes {JMP QWORD [RIP+0x8eee310]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077811d30 6 bytes {JMP QWORD [RIP+0x8f2e300]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778120a0 6 bytes {JMP QWORD [RIP+0x8e0df90]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077812130 6 bytes {JMP QWORD [RIP+0x8f0df00]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778129a0 6 bytes {JMP QWORD [RIP+0x8e2d690]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077812a20 6 bytes {JMP QWORD [RIP+0x8d8d610]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077812aa0 6 bytes {JMP QWORD [RIP+0x8dad590]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd739055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[3128] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[3128] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefef9a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\System32\svchost.exe[3128] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefefc0c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077811430 8 bytes JMP 000000016fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077811800 8 bytes JMP 000000016fff00d8 .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779bf9e0 3 bytes JMP 71af000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779bf9e4 2 bytes JMP 71af000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779bfcb0 3 bytes JMP 70f7000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779bfcb4 2 bytes JMP 70f7000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779bfd64 3 bytes JMP 70e2000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779bfd68 2 bytes JMP 70e2000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779bfdc8 3 bytes JMP 70e8000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779bfdcc 2 bytes JMP 70e8000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779bfec0 3 bytes JMP 70df000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779bfec4 2 bytes JMP 70df000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779bffa4 3 bytes JMP 70eb000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779bffa8 2 bytes JMP 70eb000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779c0004 3 bytes JMP 7103000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779c0008 2 bytes JMP 7103000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779c0084 3 bytes JMP 7100000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779c0088 2 bytes JMP 7100000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779c00b4 3 bytes JMP 70e5000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779c00b8 2 bytes JMP 70e5000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779c03b8 3 bytes JMP 70d3000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779c03bc 2 bytes JMP 70d3000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c0550 3 bytes JMP 7106000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779c0554 2 bytes JMP 7106000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779c0694 3 bytes JMP 70f4000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779c0698 2 bytes JMP 70f4000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779c088c 3 bytes JMP 70dc000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779c0890 2 bytes JMP 70dc000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779c08a4 3 bytes JMP 70d6000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779c08a8 2 bytes JMP 70d6000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779c0df4 3 bytes JMP 70f1000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779c0df8 2 bytes JMP 70f1000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779c0ed8 3 bytes JMP 70d9000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779c0edc 2 bytes JMP 70d9000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779c1be4 3 bytes JMP 70ee000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779c1be8 2 bytes JMP 70ee000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779c1cb4 3 bytes JMP 70fd000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779c1cb8 2 bytes JMP 70fd000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779c1d8c 3 bytes JMP 70fa000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779c1d90 2 bytes JMP 70fa000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779e1287 6 bytes JMP 71a8000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000772e103d 6 bytes JMP 719c000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000772e1072 6 bytes JMP 7199000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007730c9b5 6 bytes JMP 7190000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c6f776 6 bytes JMP 719f000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c72c91 4 bytes CALL 71ac0000 .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075938332 6 bytes JMP 7160000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075938bff 6 bytes JMP 7154000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759390d3 6 bytes JMP 710f000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075939679 6 bytes JMP 714e000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759397d2 6 bytes JMP 7148000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007593ee09 6 bytes JMP 7166000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007593efc9 3 bytes JMP 7115000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007593efcd 2 bytes JMP 7115000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759412a5 6 bytes JMP 715a000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007594291f 6 bytes JMP 712d000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SetParent 0000000075942d64 3 bytes JMP 7124000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075942d68 2 bytes JMP 7124000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075942da4 6 bytes JMP 710c000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075943698 3 bytes JMP 7121000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007594369c 2 bytes JMP 7121000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075943baa 6 bytes JMP 715d000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075943c61 6 bytes JMP 7157000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075946110 6 bytes JMP 7163000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007594612e 6 bytes JMP 7151000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075946c30 6 bytes JMP 7112000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075947603 6 bytes JMP 7169000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075947668 6 bytes JMP 713c000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759476e0 6 bytes JMP 7142000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007594781f 6 bytes JMP 714b000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007594835c 6 bytes JMP 716c000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007594c4b6 3 bytes JMP 711e000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007594c4ba 2 bytes JMP 711e000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007595c112 6 bytes JMP 7139000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007595d0f5 6 bytes JMP 7136000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007595eb96 6 bytes JMP 712a000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007595ec68 3 bytes JMP 7130000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007595ec6c 2 bytes JMP 7130000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SendInput 000000007595ff4a 3 bytes JMP 7133000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007595ff4e 2 bytes JMP 7133000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075979f1d 6 bytes JMP 7118000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075981497 6 bytes JMP 7109000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!mouse_event 000000007599027b 6 bytes JMP 716f000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!keybd_event 00000000759902bf 6 bytes JMP 7172000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075996cfc 6 bytes JMP 7145000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075996d5d 6 bytes JMP 713f000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075997dd7 3 bytes JMP 711b000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075997ddb 2 bytes JMP 711b000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000759988eb 3 bytes JMP 7127000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000759988ef 2 bytes JMP 7127000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000775258b3 6 bytes JMP 7184000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077525ea6 6 bytes JMP 717e000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077527bcc 6 bytes JMP 718d000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007752b895 6 bytes JMP 7175000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007752c332 6 bytes JMP 717b000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007752cbfb 6 bytes JMP 7187000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007752e743 6 bytes JMP 718a000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007755480f 6 bytes JMP 7178000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075862642 6 bytes JMP 7196000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075865429 6 bytes JMP 7193000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000753f124e 6 bytes JMP 7181000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\OTL.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779bf9e0 3 bytes JMP 71af000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779bf9e4 2 bytes JMP 71af000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779bfcb0 3 bytes JMP 70f7000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779bfcb4 2 bytes JMP 70f7000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779bfd64 3 bytes JMP 70e2000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779bfd68 2 bytes JMP 70e2000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779bfdc8 3 bytes JMP 70e8000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779bfdcc 2 bytes JMP 70e8000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779bfec0 3 bytes JMP 70df000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779bfec4 2 bytes JMP 70df000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779bffa4 3 bytes JMP 70eb000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779bffa8 2 bytes JMP 70eb000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779c0004 3 bytes JMP 7103000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779c0008 2 bytes JMP 7103000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779c0084 3 bytes JMP 7100000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779c0088 2 bytes JMP 7100000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779c00b4 3 bytes JMP 70e5000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779c00b8 2 bytes JMP 70e5000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779c03b8 3 bytes JMP 70d3000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779c03bc 2 bytes JMP 70d3000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c0550 3 bytes JMP 7106000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779c0554 2 bytes JMP 7106000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779c0694 3 bytes JMP 70f4000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779c0698 2 bytes JMP 70f4000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779c088c 3 bytes JMP 70dc000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779c0890 2 bytes JMP 70dc000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779c08a4 3 bytes JMP 70d6000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779c08a8 2 bytes JMP 70d6000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779c0df4 3 bytes JMP 70f1000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779c0df8 2 bytes JMP 70f1000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779c0ed8 3 bytes JMP 70d9000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779c0edc 2 bytes JMP 70d9000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779c1be4 3 bytes JMP 70ee000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779c1be8 2 bytes JMP 70ee000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779c1cb4 3 bytes JMP 70fd000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779c1cb8 2 bytes JMP 70fd000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779c1d8c 3 bytes JMP 70fa000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779c1d90 2 bytes JMP 70fa000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779e1287 6 bytes JMP 71a8000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000772e103d 6 bytes JMP 719c000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000772e1072 6 bytes JMP 7199000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007730c9b5 6 bytes JMP 7190000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c6f776 6 bytes JMP 719f000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c72c91 4 bytes CALL 71ac0000 .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075938332 6 bytes JMP 7160000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075938bff 6 bytes JMP 7154000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759390d3 6 bytes JMP 710f000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075939679 6 bytes JMP 714e000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759397d2 6 bytes JMP 7148000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007593ee09 6 bytes JMP 7166000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007593efc9 3 bytes JMP 7115000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007593efcd 2 bytes JMP 7115000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759412a5 6 bytes JMP 715a000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007594291f 6 bytes JMP 712d000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SetParent 0000000075942d64 3 bytes JMP 7124000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075942d68 2 bytes JMP 7124000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075942da4 6 bytes JMP 710c000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075943698 3 bytes JMP 7121000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007594369c 2 bytes JMP 7121000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075943baa 6 bytes JMP 715d000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075943c61 6 bytes JMP 7157000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075946110 6 bytes JMP 7163000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007594612e 6 bytes JMP 7151000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075946c30 6 bytes JMP 7112000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075947603 6 bytes JMP 7169000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075947668 6 bytes JMP 713c000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759476e0 6 bytes JMP 7142000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007594781f 6 bytes JMP 714b000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007594835c 6 bytes JMP 716c000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007594c4b6 3 bytes JMP 711e000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007594c4ba 2 bytes JMP 711e000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007595c112 6 bytes JMP 7139000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007595d0f5 6 bytes JMP 7136000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007595eb96 6 bytes JMP 712a000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007595ec68 3 bytes JMP 7130000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007595ec6c 2 bytes JMP 7130000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SendInput 000000007595ff4a 3 bytes JMP 7133000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007595ff4e 2 bytes JMP 7133000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075979f1d 6 bytes JMP 7118000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075981497 6 bytes JMP 7109000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!mouse_event 000000007599027b 6 bytes JMP 716f000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!keybd_event 00000000759902bf 6 bytes JMP 7172000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075996cfc 6 bytes JMP 7145000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075996d5d 6 bytes JMP 713f000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075997dd7 3 bytes JMP 711b000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075997ddb 2 bytes JMP 711b000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000759988eb 3 bytes JMP 7127000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000759988ef 2 bytes JMP 7127000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000775258b3 6 bytes JMP 7184000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077525ea6 6 bytes JMP 717e000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077527bcc 6 bytes JMP 718d000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007752b895 6 bytes JMP 7175000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007752c332 6 bytes JMP 717b000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007752cbfb 6 bytes JMP 7187000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007752e743 6 bytes JMP 718a000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007755480f 6 bytes JMP 7178000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075862642 6 bytes JMP 7196000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075865429 6 bytes JMP 7193000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000753f124e 6 bytes JMP 7181000a .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Users\ikaaa\Documents\Sports Interactive\Football Manager 2014\tactics\ky0niblv.exe[5040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff880010e7650] \SystemRoot\System32\Drivers\spaq.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010e75dc] \SystemRoot\System32\Drivers\spaq.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b235c] \SystemRoot\System32\Drivers\spaq.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b2224] \SystemRoot\System32\Drivers\spaq.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b2a24] \SystemRoot\System32\Drivers\spaq.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b2ba0] \SystemRoot\System32\Drivers\spaq.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80039a42c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80039a42c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80039a42c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 fffffa80039a42c0 Device \Driver\aph7ujnh \Device\Scsi\aph7ujnh1Port2Path0Target2Lun0 fffffa8004e242c0 Device \Driver\aph7ujnh \Device\Scsi\aph7ujnh1Port2Path0Target1Lun0 fffffa8004e242c0 Device \Driver\aph7ujnh \Device\Scsi\aph7ujnh1 fffffa8004e242c0 Device \Driver\aph7ujnh \Device\Scsi\aph7ujnh1Port2Path0Target0Lun0 fffffa8004e242c0 Device \FileSystem\Ntfs \Ntfs fffffa80039a82c0 Device \Driver\usbohci \Device\USBPDO-5 fffffa8004dc92c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa8004dc92c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa8004dc92c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004cb22c0 Device \Driver\cdrom \Device\CdRom1 fffffa8004cb22c0 Device \Driver\cdrom \Device\CdRom2 fffffa8004cb22c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{15327B56-A9B1-4B8B-880D-AB2A6786AF1C} fffffa8004d4e2c0 Device \Driver\cdrom \Device\CdRom3 fffffa8004cb22c0 Device \Driver\usbehci \Device\USBFDO-4 fffffa8004dce2c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa8004dce2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004dc92c0 Device \Driver\usbohci \Device\USBFDO-5 fffffa8004dc92c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa8004dc92c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa8004dc92c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80039a02c0 Device \Driver\volmgr \Device\FtControl fffffa80039a02c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80039a02c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80039a02c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004d4e2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{A3FAB2E6-6AD2-45BA-9B61-C169027B52B1} fffffa8004d4e2c0 Device \Driver\usbehci \Device\USBPDO-4 fffffa8004dce2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80039a42c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa8004dce2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004dc92c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80039a42c0 Device \Driver\aph7ujnh \Device\ScsiPort2 fffffa8004e242c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80039a42c0]<< spaq.sys ataport.SYS amdide64.sys fffffa80039a42c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80049a66b0] fffffa80049a66b0 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa80047c8520] fffffa80047c8520 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80047ca060] fffffa80047ca060 Trace \Driver\atapi[0xfffffa80047c0520] -> IRP_MJ_CREATE -> 0xfffffa80039a42c0 fffffa80039a42c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\aph7ujnh.SYS fffff880059a5000-fffff880059ea000 (282624 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 24524 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 40548