GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-08 11:39:18 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000069 Hitachi_ rev.ES2O 298,09GB Running: gmer.exe; Driver: C:\Users\UZYTKO~1\AppData\Local\Temp\ugtdrpob.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000174d00 7 bytes [C0, 83, F3, FF, C1, 94, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000174d08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076dcdbc0 5 bytes JMP 000000006fff0228 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\USER32.dll!SetThreadDesktop 0000000076cbd6d0 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\USER32.dll!SetClipboardData 0000000076cce43c 5 bytes JMP 000000006fff00d8 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076cce874 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\USER32.dll!mouse_event 0000000076cd3894 7 bytes JMP 000000006fff01f0 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\USER32.dll!SendInput 0000000076cd8cd0 8 bytes JMP 000000006fff0180 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\USER32.dll!PrintWindow 0000000076cdb180 8 bytes JMP 000000006fff0260 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\USER32.dll!keybd_event 0000000076d245a4 7 bytes JMP 000000006fff01b8 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076dcdbc0 5 bytes JMP 000000006fff0228 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!SetThreadDesktop 0000000076cbd6d0 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!SetClipboardData 0000000076cce43c 5 bytes JMP 000000006fff00d8 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076cce874 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!mouse_event 0000000076cd3894 7 bytes JMP 000000006fff01f0 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!SendInput 0000000076cd8cd0 8 bytes JMP 000000006fff0180 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!PrintWindow 0000000076cdb180 8 bytes JMP 000000006fff0260 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!keybd_event 0000000076d245a4 7 bytes JMP 000000006fff01b8 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\USER32.dll!SetThreadDesktop 0000000076cbd6d0 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\USER32.dll!SetClipboardData 0000000076cce43c 5 bytes JMP 000000006fff00d8 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076cce874 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\USER32.dll!mouse_event 0000000076cd3894 7 bytes JMP 000000006fff01f0 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\USER32.dll!SendInput 0000000076cd8cd0 8 bytes JMP 000000006fff0180 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\USER32.dll!PrintWindow 0000000076cdb180 8 bytes JMP 000000006fff0260 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\USER32.dll!keybd_event 0000000076d245a4 7 bytes JMP 000000006fff01b8 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\system32\lsass.exe[672] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Windows\system32\lsass.exe[672] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\lsass.exe[672] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\lsass.exe[672] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\lsass.exe[672] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\lsass.exe[672] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\lsass.exe[672] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\lsass.exe[672] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\lsass.exe[672] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\lsass.exe[672] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\lsass.exe[672] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\system32\lsm.exe[680] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\lsm.exe[680] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\lsm.exe[680] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\lsm.exe[680] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\lsm.exe[680] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\lsm.exe[680] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\lsm.exe[680] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\lsm.exe[680] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\lsm.exe[680] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\lsm.exe[680] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\lsm.exe[680] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\system32\svchost.exe[776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[776] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\svchost.exe[776] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\svchost.exe[776] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\svchost.exe[776] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\svchost.exe[776] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\svchost.exe[776] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\svchost.exe[776] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\svchost.exe[776] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\System32\svchost.exe[968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Windows\System32\svchost.exe[968] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\System32\svchost.exe[968] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\System32\svchost.exe[968] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\System32\svchost.exe[968] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\System32\svchost.exe[968] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\System32\svchost.exe[968] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\System32\svchost.exe[968] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\System32\svchost.exe[968] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076dcdbc0 5 bytes JMP 000000006fff0228 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076dcdbc0 5 bytes JMP 000000006fff0228 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefee802d0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefee80148 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefee80260 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefee801b8 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefee80110 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefee800d8 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefee80298 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefee80180 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefee801f0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefee80228 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000758c3bab 5 bytes JMP 000000007302edf0 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000074ed2ca4 4 bytes CALL 71af0000 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\USER32.dll!SetThreadDesktop 00000000768d0296 5 bytes JMP 0000000073031480 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\USER32.dll!SendInput 00000000768eff4a 5 bytes JMP 0000000073031810 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076908e57 5 bytes JMP 0000000073031b80 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076909f1d 5 bytes JMP 0000000073031c10 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\USER32.dll!mouse_event 000000007692027b 5 bytes JMP 0000000073031a80 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769202bf 5 bytes JMP 00000000730319a0 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\USER32.dll!PrintWindow 000000007692882b 5 bytes JMP 000000007302bcc0 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755258b3 5 bytes JMP 000000007302bdc0 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075525ea5 5 bytes JMP 000000007302a4d0 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075527ba4 5 bytes JMP 000000007302a200 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007552ae1b 5 bytes JMP 000000007302b740 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007552b986 5 bytes JMP 000000007302baf0 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007552ba5f 5 bytes JMP 000000007302a870 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007552bd6e 5 bytes JMP 000000007302b390 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007552cc01 5 bytes JMP 000000007302ac20 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007552ea03 5 bytes JMP 000000007302a3b0 .text c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075554969 5 bytes JMP 000000007302afe0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000758c3bab 5 bytes JMP 000000007302edf0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000074ed2ca4 4 bytes CALL 71af0000 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\USER32.dll!SetThreadDesktop 00000000768d0296 5 bytes JMP 0000000073031480 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\USER32.dll!SendInput 00000000768eff4a 5 bytes JMP 0000000073031810 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076908e57 5 bytes JMP 0000000073031b80 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076909f1d 5 bytes JMP 0000000073031c10 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\USER32.dll!mouse_event 000000007692027b 5 bytes JMP 0000000073031a80 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769202bf 5 bytes JMP 00000000730319a0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\USER32.dll!PrintWindow 000000007692882b 5 bytes JMP 000000007302bcc0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755258b3 5 bytes JMP 000000007302bdc0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075525ea5 5 bytes JMP 000000007302a4d0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075527ba4 5 bytes JMP 000000007302a200 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007552ae1b 5 bytes JMP 000000007302b740 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007552b986 5 bytes JMP 000000007302baf0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007552ba5f 5 bytes JMP 000000007302a870 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007552bd6e 5 bytes JMP 000000007302b390 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007552cc01 5 bytes JMP 000000007302ac20 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007552ea03 5 bytes JMP 000000007302a3b0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075554969 5 bytes JMP 000000007302afe0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074bf1401 2 bytes JMP 758db21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074bf1419 2 bytes JMP 758db346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074bf1431 2 bytes JMP 75958f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074bf144a 2 bytes CALL 758b489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074bf14dd 2 bytes JMP 75958822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074bf14f5 2 bytes JMP 759589f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074bf150d 2 bytes JMP 75958718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074bf1525 2 bytes JMP 75958ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074bf153d 2 bytes JMP 758cfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074bf1555 2 bytes JMP 758d68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074bf156d 2 bytes JMP 75958fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074bf1585 2 bytes JMP 75958b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074bf159d 2 bytes JMP 759586dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074bf15b5 2 bytes JMP 758cfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074bf15cd 2 bytes JMP 758db2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074bf16b2 2 bytes JMP 75958ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074bf16bd 2 bytes JMP 75958671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1676] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076dcdbc0 5 bytes JMP 000000006fff0228 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1676] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1676] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1676] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1676] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1676] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1676] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1676] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1676] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1676] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1676] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1720] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 0F] .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1720] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefe0102d0 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1720] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefe010148 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1720] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefe010260 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1720] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefe0101b8 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1720] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefe010110 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1720] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefe0100d8 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1720] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefe010298 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1720] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefe010180 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1720] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefe0101f0 .text C:\Program Files (x86)\COMODO\COMODO Secure Shopping\csssrv64.exe[1720] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefe010228 .text C:\Windows\System32\svchost.exe[1796] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076dcdbc0 5 bytes JMP 000000006fff0228 .text C:\Windows\System32\svchost.exe[1796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Windows\System32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\System32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\System32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\System32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\System32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\System32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\System32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\System32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\System32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\System32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1888] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076dcdbc0 5 bytes JMP 000000006fff0228 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1888] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1888] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1888] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1888] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1888] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1888] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1888] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1888] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1888] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1888] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000758c3bab 5 bytes JMP 000000007302edf0 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000074ed2ca4 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\USER32.dll!SetThreadDesktop 00000000768d0296 5 bytes JMP 0000000073031480 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\USER32.dll!SendInput 00000000768eff4a 5 bytes JMP 0000000073031810 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076908e57 5 bytes JMP 0000000073031b80 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076909f1d 5 bytes JMP 0000000073031c10 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\USER32.dll!mouse_event 000000007692027b 5 bytes JMP 0000000073031a80 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769202bf 5 bytes JMP 00000000730319a0 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\USER32.dll!PrintWindow 000000007692882b 5 bytes JMP 000000007302bcc0 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755258b3 5 bytes JMP 000000007302bdc0 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075525ea5 5 bytes JMP 000000007302a4d0 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075527ba4 5 bytes JMP 000000007302a200 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007552ae1b 5 bytes JMP 000000007302b740 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007552b986 5 bytes JMP 000000007302baf0 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007552ba5f 5 bytes JMP 000000007302a870 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007552bd6e 5 bytes JMP 000000007302b390 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007552cc01 5 bytes JMP 000000007302ac20 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007552ea03 5 bytes JMP 000000007302a3b0 .text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[1920] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075554969 5 bytes JMP 000000007302afe0 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000758c3bab 5 bytes JMP 000000007302edf0 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000074ed2ca4 4 bytes CALL 71af0000 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\USER32.dll!SetThreadDesktop 00000000768d0296 5 bytes JMP 0000000073031480 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\USER32.dll!SendInput 00000000768eff4a 5 bytes JMP 0000000073031810 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076908e57 5 bytes JMP 0000000073031b80 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076909f1d 5 bytes JMP 0000000073031c10 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\USER32.dll!mouse_event 000000007692027b 5 bytes JMP 0000000073031a80 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769202bf 5 bytes JMP 00000000730319a0 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\USER32.dll!PrintWindow 000000007692882b 5 bytes JMP 000000007302bcc0 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755258b3 5 bytes JMP 000000007302bdc0 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075525ea5 5 bytes JMP 000000007302a4d0 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075527ba4 5 bytes JMP 000000007302a200 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007552ae1b 5 bytes JMP 000000007302b740 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007552b986 5 bytes JMP 000000007302baf0 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007552ba5f 5 bytes JMP 000000007302a870 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007552bd6e 5 bytes JMP 000000007302b390 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007552cc01 5 bytes JMP 000000007302ac20 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007552ea03 5 bytes JMP 000000007302a3b0 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[1960] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075554969 5 bytes JMP 000000007302afe0 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000758c3bab 5 bytes JMP 000000007302edf0 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000074ed2ca4 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\user32.dll!SetThreadDesktop 00000000768d0296 5 bytes JMP 0000000073031480 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\user32.dll!SendInput 00000000768eff4a 5 bytes JMP 0000000073031810 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\user32.dll!SetClipboardData 0000000076908e57 5 bytes JMP 0000000073031b80 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\user32.dll!GetClipboardData 0000000076909f1d 5 bytes JMP 0000000073031c10 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\user32.dll!mouse_event 000000007692027b 5 bytes JMP 0000000073031a80 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\user32.dll!keybd_event 00000000769202bf 5 bytes JMP 00000000730319a0 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\user32.dll!PrintWindow 000000007692882b 5 bytes JMP 000000007302bcc0 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755258b3 5 bytes JMP 000000007302bdc0 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075525ea5 5 bytes JMP 000000007302a4d0 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075527ba4 5 bytes JMP 000000007302a200 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007552ae1b 5 bytes JMP 000000007302b740 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007552b986 5 bytes JMP 000000007302baf0 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007552ba5f 5 bytes JMP 000000007302a870 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007552bd6e 5 bytes JMP 000000007302b390 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007552cc01 5 bytes JMP 000000007302ac20 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007552ea03 5 bytes JMP 000000007302a3b0 .text C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe[2044] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075554969 5 bytes JMP 000000007302afe0 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000758c3bab 5 bytes JMP 000000007302edf0 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000074ed2ca4 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\USER32.dll!SetThreadDesktop 00000000768d0296 5 bytes JMP 0000000073031480 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\USER32.dll!SendInput 00000000768eff4a 5 bytes JMP 0000000073031810 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076908e57 5 bytes JMP 0000000073031b80 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076909f1d 5 bytes JMP 0000000073031c10 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\USER32.dll!mouse_event 000000007692027b 5 bytes JMP 0000000073031a80 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769202bf 5 bytes JMP 00000000730319a0 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\USER32.dll!PrintWindow 000000007692882b 5 bytes JMP 000000007302bcc0 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755258b3 5 bytes JMP 000000007302bdc0 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075525ea5 5 bytes JMP 000000007302a4d0 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075527ba4 5 bytes JMP 000000007302a200 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007552ae1b 5 bytes JMP 000000007302b740 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007552b986 5 bytes JMP 000000007302baf0 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007552ba5f 5 bytes JMP 000000007302a870 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007552bd6e 5 bytes JMP 000000007302b390 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007552cc01 5 bytes JMP 000000007302ac20 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007552ea03 5 bytes JMP 000000007302a3b0 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[1568] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075554969 5 bytes JMP 000000007302afe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000758c3bab 5 bytes JMP 000000007302edf0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000074ed2ca4 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755258b3 5 bytes JMP 000000007302bdc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075525ea5 5 bytes JMP 000000007302a4d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075527ba4 5 bytes JMP 000000007302a200 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007552ae1b 5 bytes JMP 000000007302b740 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007552b986 5 bytes JMP 000000007302baf0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007552ba5f 5 bytes JMP 000000007302a870 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007552bd6e 5 bytes JMP 000000007302b390 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007552cc01 5 bytes JMP 000000007302ac20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007552ea03 5 bytes JMP 000000007302a3b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075554969 5 bytes JMP 000000007302afe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\USER32.dll!SetThreadDesktop 00000000768d0296 5 bytes JMP 0000000073031480 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\USER32.dll!SendInput 00000000768eff4a 5 bytes JMP 0000000073031810 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076908e57 5 bytes JMP 0000000073031b80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076909f1d 5 bytes JMP 0000000073031c10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\USER32.dll!mouse_event 000000007692027b 5 bytes JMP 0000000073031a80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769202bf 5 bytes JMP 00000000730319a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2564] C:\Windows\syswow64\USER32.dll!PrintWindow 000000007692882b 5 bytes JMP 000000007302bcc0 .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000758c3bab 5 bytes JMP 000000007302edf0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000074ed2ca4 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\USER32.dll!SetThreadDesktop 00000000768d0296 5 bytes JMP 0000000073031480 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\USER32.dll!SendInput 00000000768eff4a 5 bytes JMP 0000000073031810 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076908e57 5 bytes JMP 0000000073031b80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076909f1d 5 bytes JMP 0000000073031c10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\USER32.dll!mouse_event 000000007692027b 5 bytes JMP 0000000073031a80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769202bf 5 bytes JMP 00000000730319a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\USER32.dll!PrintWindow 000000007692882b 5 bytes JMP 000000007302bcc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755258b3 5 bytes JMP 000000007302bdc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075525ea5 5 bytes JMP 000000007302a4d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075527ba4 5 bytes JMP 000000007302a200 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007552ae1b 5 bytes JMP 000000007302b740 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007552b986 5 bytes JMP 000000007302baf0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007552ba5f 5 bytes JMP 000000007302a870 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007552bd6e 5 bytes JMP 000000007302b390 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007552cc01 5 bytes JMP 000000007302ac20 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007552ea03 5 bytes JMP 000000007302a3b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075554969 5 bytes JMP 000000007302afe0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074bf1401 2 bytes JMP 758db21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074bf1419 2 bytes JMP 758db346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074bf1431 2 bytes JMP 75958f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074bf144a 2 bytes CALL 758b489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074bf14dd 2 bytes JMP 75958822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074bf14f5 2 bytes JMP 759589f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074bf150d 2 bytes JMP 75958718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074bf1525 2 bytes JMP 75958ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074bf153d 2 bytes JMP 758cfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074bf1555 2 bytes JMP 758d68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074bf156d 2 bytes JMP 75958fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074bf1585 2 bytes JMP 75958b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074bf159d 2 bytes JMP 759586dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074bf15b5 2 bytes JMP 758cfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074bf15cd 2 bytes JMP 758db2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074bf16b2 2 bytes JMP 75958ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074bf16bd 2 bytes JMP 75958671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\servicing\TrustedInstaller.exe[2936] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076dcdbc0 5 bytes JMP 000000006fff0228 .text C:\Windows\servicing\TrustedInstaller.exe[2936] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL 9b6 .text C:\Windows\servicing\TrustedInstaller.exe[2936] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\servicing\TrustedInstaller.exe[2936] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\servicing\TrustedInstaller.exe[2936] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\servicing\TrustedInstaller.exe[2936] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\servicing\TrustedInstaller.exe[2936] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\servicing\TrustedInstaller.exe[2936] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\servicing\TrustedInstaller.exe[2936] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\servicing\TrustedInstaller.exe[2936] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\servicing\TrustedInstaller.exe[2936] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\servicing\TrustedInstaller.exe[2936] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\system32\Dwm.exe[2416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Windows\system32\Dwm.exe[2416] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\Dwm.exe[2416] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\Dwm.exe[2416] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\Dwm.exe[2416] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\Dwm.exe[2416] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\Dwm.exe[2416] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\Dwm.exe[2416] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\Dwm.exe[2416] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\Dwm.exe[2416] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\Dwm.exe[2416] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\Explorer.EXE[3876] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076dcdbc0 5 bytes JMP 000000006fff0180 .text C:\Windows\Explorer.EXE[3876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Windows\Explorer.EXE[3876] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\Explorer.EXE[3876] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\Explorer.EXE[3876] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\Explorer.EXE[3876] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\Explorer.EXE[3876] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\Explorer.EXE[3876] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\Explorer.EXE[3876] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\Explorer.EXE[3876] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\Explorer.EXE[3876] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\Explorer.EXE[3876] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3976] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076dcdbc0 5 bytes JMP 000000006fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3976] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3976] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3976] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3976] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3976] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3976] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3976] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3976] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3976] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3976] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1640] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076dcdbc0 5 bytes JMP 000000006fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1640] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1640] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1640] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1640] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1640] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1640] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Program Files\Elantech\ETDCtrl.exe[3404] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076dcdbc0 5 bytes JMP 000000006fff0228 .text C:\Program Files\Elantech\ETDCtrl.exe[3404] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Program Files\Elantech\ETDCtrl.exe[3404] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Program Files\Elantech\ETDCtrl.exe[3404] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Program Files\Elantech\ETDCtrl.exe[3404] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Program Files\Elantech\ETDCtrl.exe[3404] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Program Files\Elantech\ETDCtrl.exe[3404] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Program Files\Elantech\ETDCtrl.exe[3404] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Program Files\Elantech\ETDCtrl.exe[3404] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Program Files\Elantech\ETDCtrl.exe[3404] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Program Files\Elantech\ETDCtrl.exe[3404] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Program Files\Elantech\ETDCtrl.exe[3404] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\System32\igfxtray.exe[3368] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Windows\System32\igfxtray.exe[3368] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\System32\igfxtray.exe[3368] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\System32\igfxtray.exe[3368] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\System32\igfxtray.exe[3368] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\System32\igfxtray.exe[3368] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\System32\igfxtray.exe[3368] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\System32\igfxtray.exe[3368] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\System32\igfxtray.exe[3368] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\System32\igfxtray.exe[3368] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\System32\igfxtray.exe[3368] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\System32\hkcmd.exe[3996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Windows\System32\hkcmd.exe[3996] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\System32\hkcmd.exe[3996] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\System32\hkcmd.exe[3996] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\System32\hkcmd.exe[3996] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\System32\hkcmd.exe[3996] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\System32\hkcmd.exe[3996] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\System32\hkcmd.exe[3996] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\System32\hkcmd.exe[3996] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\System32\hkcmd.exe[3996] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\System32\hkcmd.exe[3996] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\System32\igfxpers.exe[3920] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Windows\System32\igfxpers.exe[3920] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\System32\igfxpers.exe[3920] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\System32\igfxpers.exe[3920] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\System32\igfxpers.exe[3920] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\System32\igfxpers.exe[3920] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\System32\igfxpers.exe[3920] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\System32\igfxpers.exe[3920] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\System32\igfxpers.exe[3920] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\System32\igfxpers.exe[3920] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\System32\igfxpers.exe[3920] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000758c3bab 5 bytes JMP 000000007302edf0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000074ed2ca4 4 bytes CALL 71af0000 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\USER32.dll!SetThreadDesktop 00000000768d0296 5 bytes JMP 0000000073031480 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\USER32.dll!SendInput 00000000768eff4a 5 bytes JMP 0000000073031810 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076908e57 5 bytes JMP 0000000073031b80 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076909f1d 5 bytes JMP 0000000073031c10 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\USER32.dll!mouse_event 000000007692027b 5 bytes JMP 0000000073031a80 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769202bf 5 bytes JMP 00000000730319a0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\USER32.dll!PrintWindow 000000007692882b 5 bytes JMP 000000007302bcc0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755258b3 5 bytes JMP 000000007302bdc0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075525ea5 5 bytes JMP 000000007302a4d0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075527ba4 5 bytes JMP 000000007302a200 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007552ae1b 5 bytes JMP 000000007302b740 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007552b986 5 bytes JMP 000000007302baf0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007552ba5f 5 bytes JMP 000000007302a870 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007552bd6e 5 bytes JMP 000000007302b390 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007552cc01 5 bytes JMP 000000007302ac20 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007552ea03 5 bytes JMP 000000007302a3b0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3680] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075554969 5 bytes JMP 000000007302afe0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3972] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076dcdbc0 5 bytes JMP 000000006fff0228 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3972] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3972] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3972] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3972] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3972] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3972] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3972] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3972] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3972] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3972] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3972] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\system32\taskeng.exe[3692] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes CALL b03 .text C:\Windows\system32\taskeng.exe[3692] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\taskeng.exe[3692] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\taskeng.exe[3692] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\taskeng.exe[3692] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\taskeng.exe[3692] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\taskeng.exe[3692] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\taskeng.exe[3692] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\taskeng.exe[3692] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\taskeng.exe[3692] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\taskeng.exe[3692] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Windows\system32\DllHost.exe[3556] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\DllHost.exe[3556] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\system32\DllHost.exe[3556] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\system32\DllHost.exe[3556] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\system32\DllHost.exe[3556] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\system32\DllHost.exe[3556] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\system32\DllHost.exe[3556] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\system32\DllHost.exe[3556] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\system32\DllHost.exe[3556] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\system32\DllHost.exe[3556] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\system32\DllHost.exe[3556] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000758c3bab 5 bytes JMP 000000007302edf0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000074ed2ca4 4 bytes CALL 71af0000 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\USER32.dll!SetThreadDesktop 00000000768d0296 5 bytes JMP 0000000073031480 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\USER32.dll!SendInput 00000000768eff4a 5 bytes JMP 0000000073031810 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076908e57 5 bytes JMP 0000000073031b80 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076909f1d 5 bytes JMP 0000000073031c10 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\USER32.dll!mouse_event 000000007692027b 5 bytes JMP 0000000073031a80 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769202bf 5 bytes JMP 00000000730319a0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\USER32.dll!PrintWindow 000000007692882b 5 bytes JMP 000000007302bcc0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755258b3 5 bytes JMP 000000007302bdc0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075525ea5 5 bytes JMP 000000007302a4d0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075527ba4 5 bytes JMP 000000007302a200 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007552ae1b 5 bytes JMP 000000007302b740 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007552b986 5 bytes JMP 000000007302baf0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007552ba5f 5 bytes JMP 000000007302a870 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007552bd6e 5 bytes JMP 000000007302b390 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007552cc01 5 bytes JMP 000000007302ac20 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007552ea03 5 bytes JMP 000000007302a3b0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[2976] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075554969 5 bytes JMP 000000007302afe0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefce3b022 3 bytes [E8, 4F, 06] .text C:\Windows\System32\svchost.exe[3580] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeee22cc 5 bytes JMP 000007fefeed02d0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeee24c0 5 bytes JMP 000007fefeed0148 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefeee3e10 5 bytes JMP 000007fefeed0260 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeee5bf0 5 bytes JMP 000007fefeed01b8 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeee8398 9 bytes JMP 000007fefeed0110 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeee89bc 9 bytes JMP 000007fefeed00d8 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeee9320 5 bytes JMP 000007fefeed0298 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeeeb9e8 5 bytes JMP 000007fefeed0180 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeeec8f0 5 bytes JMP 000007fefeed01f0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeef5480 5 bytes JMP 000007fefeed0228 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000758c3bab 5 bytes JMP 000000007302edf0 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000074ed2ca4 4 bytes CALL 71af0000 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\USER32.dll!SetThreadDesktop 00000000768d0296 5 bytes JMP 0000000073031480 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\USER32.dll!SendInput 00000000768eff4a 5 bytes JMP 0000000073031810 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076908e57 5 bytes JMP 0000000073031b80 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076909f1d 5 bytes JMP 0000000073031c10 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\USER32.dll!mouse_event 000000007692027b 5 bytes JMP 0000000073031a80 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769202bf 5 bytes JMP 00000000730319a0 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\USER32.dll!PrintWindow 000000007692882b 5 bytes JMP 000000007302bcc0 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755258b3 5 bytes JMP 000000007302bdc0 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075525ea5 5 bytes JMP 000000007302a4d0 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075527ba4 5 bytes JMP 000000007302a200 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007552ae1b 5 bytes JMP 000000007302b740 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007552b986 5 bytes JMP 000000007302baf0 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007552ba5f 5 bytes JMP 000000007302a870 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007552bd6e 5 bytes JMP 000000007302b390 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007552cc01 5 bytes JMP 000000007302ac20 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007552ea03 5 bytes JMP 000000007302a3b0 .text C:\Users\uzytkownik\Desktop\testy\gmer\gmer.exe[3060] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075554969 5 bytes JMP 000000007302afe0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000758c3bab 5 bytes JMP 000000007302edf0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000074ed2ca4 4 bytes CALL 71af0000 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\USER32.dll!SetThreadDesktop 00000000768d0296 5 bytes JMP 0000000073031480 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\USER32.dll!SendInput 00000000768eff4a 5 bytes JMP 0000000073031810 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076908e57 5 bytes JMP 0000000073031b80 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076909f1d 5 bytes JMP 0000000073031c10 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\USER32.dll!mouse_event 000000007692027b 5 bytes JMP 0000000073031a80 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769202bf 5 bytes JMP 00000000730319a0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\USER32.dll!PrintWindow 000000007692882b 5 bytes JMP 000000007302bcc0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755258b3 5 bytes JMP 000000007302bdc0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075525ea5 5 bytes JMP 000000007302a4d0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075527ba4 5 bytes JMP 000000007302a200 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007552ae1b 5 bytes JMP 000000007302b740 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007552b986 5 bytes JMP 000000007302baf0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007552ba5f 5 bytes JMP 000000007302a870 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007552bd6e 5 bytes JMP 000000007302b390 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007552cc01 5 bytes JMP 000000007302ac20 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007552ea03 5 bytes JMP 000000007302a3b0 .text C:\Program Files (x86)\AnyDesk\AnyDesk.exe[3588] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075554969 5 bytes JMP 000000007302afe0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9cb70d0d360f Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9cb70d0d360f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Files - GMER 2.2 ---- File C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_6.1.7601_142e42c380ffa24d1591bb3fa3711d4a671cd97b_0d33cb0b 0 bytes File C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_6.1.7601_142e42c380ffa24d1591bb3fa3711d4a671cd97b_0d33cb0b\Report.wer 1844 bytes File C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_6.1.7601_142e42c380ffa24d1591bb3fa3711d4a671cd97b_0953caae 0 bytes File C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_6.1.7601_142e42c380ffa24d1591bb3fa3711d4a671cd97b_0953caae\Report.wer 1844 bytes ---- EOF - GMER 2.2 ----