Diverse Probleme mit Rechner und seit neustem: WShelper.exe

Wilfried49 · 08.01.2015, 17:42

Einen schönen guten Tag!

Ich suche hier nach Hilfe, um einen alten PC wieder flüssig zum Laufen zu bekommen. Mein Rechner ging vor einigen Tagen kaputt und so habe ich mir den alten PC meines Sohnes bei mir im Büro aufgebaut. Mein Sohn ist vor ein paar Jahren ausgezogen und so dachte ich, kann ich mir das Kaufen eines neuen PCs sparen.
Jetzt ist die Sache die, dass ich Probleme feststellen musste. Zuerst stellte ich fest, dass der PC extrem lange benötigt, um hochzufahren. Da mein Sohn gerne Spiele am PC gespielt hat, sollte der Computer aber eigentlich ganz gut sein und nicht länger benötigen beim Start als mein alter - oder sehe ich das falsch? Dazu kommt, dass er manchmal aus geht, wenn er in den Ruhemodus versetzt wird. Das tritt aber nicht regelmäßig auf, sondern "immer mal wieder". Zudem erscheinen immer wieder seltsame Fehlermeldungen - zum Beispiel beim Starten verschiedener Programme ("Zugriff verweigert) oder beim Starten des PCs wird gemeldet, die Antivirensoftware "Commodo" konnte nicht gestartet werden (Da ich von diesem Programm bisher noch nichts gehört habe: Ist das überhaupt eine empfehlenswerte Antiviren-Software?). Nunja, jedenfalls stoße ich während des Arbeitens am PC ständig auf derartige Probleme und dachte mir jüngst, ich könne es ja einfach mal hier versuchen.
Ich habe nun also alle Log-Datein zusammengesucht - entschuldigt bitte, falls mir dabei Fehler unterlaufen sein sollten!

Jedenfalls, so hoffe ich nun, könnt ihr hier nun das eine oder andere Problem erkennen und im besten Fall sogar lösen.

Weiteres: Während des Verfassens dieses Beitrags musste ich feststellen, dass ich keinen Datentransfer mehr ins Internet habe. Ich kann normal surfen, aber sobald ich versuche, einen Forenbeitrag zu verfassen, eine E-Mail (per Thunderbird) zu versenden oder eine Datei in meine Dropbox hochlade, funktioniert das nicht. Ich habe vorhin "Wondershare TunesGo" installiert, um mit dem PC Musik auf mein Handy übertragen zu können. Dabei erhielt ich Meldungen über eine "WShelper.exe". Ich habe in Folge dessen dann die Software wieder Deinstalliert. Während der Deinstallation dann versuchte die Datei "_iu14D2N.tmp" viele Veränderungen vor zu nehmen. Ich werde jetzt nocheinmal Logfiles erstellen und euch diese dann hochladen.

So, da ich mit den Logfiles die Zeichengrzenze für einen Beitrag um mehr als das 10-fache sprenge, lade ich diese nun hier im Anhang hoch. Ich hoffe, das ist so in Ordnung! Die GMER musste ich sogar als .zip packen, da sie andernfalls 1,17mb groß war.

Bei GMER gab es im Übrigen außerdem eine Rootkit-Activity-Meldung.

Vielen Dank für eure Unterstützung und beste Grüße,

Wilfried

schrauber · 08.01.2015, 17:57

Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:

Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.

Wilfried49 · 08.01.2015, 18:00

FRST Logfile:

FRST Logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-01-2015
Ran by Tobias (administrator) on TOBIAS-PC on 08-01-2015 16:38:21
Running from C:\Users\Tobias\Desktop
Loaded Profiles: Tobias &  (Available profiles: Tobias)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe
(Razer, Inc.) C:\Program Files (x86)\Razer\Core\64bit\RzOvlMon.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Dropbox, Inc.) C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
() C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Wondershare) C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\APSDaemon.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Disc Soft Ltd) C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe
(Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
() C:\Users\Tobias\Desktop\Defogger.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdupd.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Launch LCore] => C:\Program Files\Logitech Gaming Software\LCore.exe [6868280 2012-05-21] (Logitech Inc.)
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1297112 2014-12-09] (COMODO)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2279712 2013-12-10] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13662936 2000-01-01] (Realtek Semiconductor)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [444760 2014-03-07] (Razer Inc.)
HKLM-x32\...\Run: [JMB36X IDE Setup] => C:\Windows\RaidTool\xInsIDE.exe [43608 2000-01-01] ()
HKLM-x32\...\Run: [DivXUpdate] => C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1861968 2013-11-15] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2072928 2015-01-08] (Wondershare)
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\Run: [Google Update] => C:\Users\Tobias\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-08-21] (Google Inc.)
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\Run: [DAEMON Tools Ultra Agent] => C:\Program Files (x86)\DAEMON Tools Ultra\DTAgent.exe [3192056 2013-11-14] (Disc Soft Ltd)
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\MountPoints2: {01f545e5-c72a-11e3-b9a2-001d7da6420f} - H:\virtuallyjenna-en.exe
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\MountPoints2: {01f545ea-c72a-11e3-b9a2-001d7da6420f} - K:\autorun.exe
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\MountPoints2: {01f545f5-c72a-11e3-b9a2-001d7da6420f} - J:\autorun.exe
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\MountPoints2: {01f54604-c72a-11e3-b9a2-001d7da6420f} - L:\autorun.exe
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\MountPoints2: {09d7c289-0c19-11e4-8f46-001d7da6420f} - H:\LaunchU3.exe -a
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\MountPoints2: {1be2274b-c054-11e2-9cb2-806e6f6e6963} - F:\autorun.exe
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\MountPoints2: {803984f0-0cc1-11e4-832f-001d7da6420f} - H:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\MountPoints2: {986a4d14-7c97-11e3-9eb2-001d7da6420f} - F:\autorun.exe
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\MountPoints2: {fa311c55-52d6-11e3-957c-001d7da6420f} - H:\Startme.exe
HKU\S-1-5-21-2764848105-337601815-2700051401-1003\...\Run: [Google Update] => C:\Users\Tobias\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-08-21] (Google Inc.)
HKU\S-1-5-21-2764848105-337601815-2700051401-1003\...\Run: [Facebook Update] => "C:\Users\Tobias\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
HKU\S-1-5-21-2764848105-337601815-2700051401-1003\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
HKU\S-1-5-21-2764848105-337601815-2700051401-1003\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-2764848105-337601815-2700051401-1003\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
Startup: C:\Users\Tobias\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Tobias\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
Startup: C:\Users\Tobias\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.yahoo.com?fr=fp-comodo
HKU\S-1-5-21-2764848105-337601815-2700051401-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKU\S-1-5-21-2764848105-337601815-2700051401-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
URLSearchHook: HKLM-x32 - Default Value = {74198672-5F7D-4FE9-A611-4AC1D5A66A15}
URLSearchHook: HKLM-x32 - SimilarWeb - {74198672-5F7D-4FE9-A611-4AC1D5A66A15} - C:\Program Files (x86)\SimilarWeb\SimilarWeb.dll (SimilarGroup)
URLSearchHook: HKU\S-1-5-21-2764848105-337601815-2700051401-1000 - Default Value = {74198672-5F7D-4FE9-A611-4AC1D5A66A15}
URLSearchHook: HKU\S-1-5-21-2764848105-337601815-2700051401-1000 - SimilarWeb - {74198672-5F7D-4FE9-A611-4AC1D5A66A15} - C:\Program Files (x86)\SimilarWeb\SimilarWeb.dll (SimilarGroup)
SearchScopes: HKLM -> DefaultScope value is missing.
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
SearchScopes: HKU\S-1-5-21-2764848105-337601815-2700051401-1000 -> {8EEAC88A-079B-4b2c-80C1-7836F79EB40A} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GbR)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - SimilarWeb - {74198672-5F7D-4FE9-A611-4AC1D5A66A15} - C:\Program Files (x86)\SimilarWeb\SimilarWeb.dll (SimilarGroup)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

FireFox:
========
FF ProfilePath: C:\Users\Tobias\AppData\Roaming\Mozilla\Firefox\Profiles\qgrdidvi.default
FF Homepage: google.de
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @divx.com/DivX Web Player Plug-In,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2764848105-337601815-2700051401-1000: @acestream.net/acestreamplugin,version=3.0.4 -> C:\Users\Tobias\AppData\Roaming\ACEStream\player\npace_plugin.dll (Innovative Digital Technologies)
FF Plugin HKU\S-1-5-21-2764848105-337601815-2700051401-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\Tobias\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKU\S-1-5-21-2764848105-337601815-2700051401-1000: @talk.google.com/O1DPlugin -> C:\Users\Tobias\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKU\S-1-5-21-2764848105-337601815-2700051401-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Tobias\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-2764848105-337601815-2700051401-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Tobias\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Tobias\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Tobias\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF SearchPlugin: C:\Users\Tobias\AppData\Roaming\Mozilla\Firefox\Profiles\qgrdidvi.default\searchplugins\pornmd.xml
FF Extension: ProxTube - C:\Users\Tobias\AppData\Roaming\Mozilla\Firefox\Profiles\qgrdidvi.default\Extensions\ich@maltegoetz.de.xpi [2014-10-11]
FF Extension: PornMD - C:\Users\Tobias\AppData\Roaming\Mozilla\Firefox\Profiles\qgrdidvi.default\Extensions\PornMD@PornMD.xpi [2015-01-08]
FF Extension: Adblock Edge - C:\Users\Tobias\AppData\Roaming\Mozilla\Firefox\Profiles\qgrdidvi.default\Extensions\{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi [2014-07-15]
FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt
FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2013-04-04]

Chrome: 
=======
CHR HomePage: Default -> 
CHR Plugin: (Shockwave Flash) - C:\Users\Tobias\AppData\Local\Google\Chrome\Application\39.0.2171.95\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Tobias\AppData\Local\Google\Chrome\Application\39.0.2171.95\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Tobias\AppData\Local\Google\Chrome\Application\39.0.2171.95\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Talk Plugin) - C:\Users\Tobias\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
CHR Plugin: (Google Talk Plugin Video Accelerator) - C:\Users\Tobias\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll No File
CHR Plugin: (Google Talk Plugin Video Renderer) - C:\Users\Tobias\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
CHR Plugin: (DivX VOD Helper Plug-in) - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
CHR Plugin: (DivX Plus Web Player) - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll No File
CHR Plugin: (Java(TM) Platform SE 7 U13) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Google Update) - C:\Users\Tobias\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.130.20) - C:\Windows\SysWOW64\npDeployJava1.dll No File
CHR Profile: C:\Users\Tobias\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Tobias\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-04]
CHR Extension: (Copernic Desktop Search Connector) - C:\Users\Tobias\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnnbdaahphjgdgfhliignpepgnbnfomp [2013-12-16]
CHR Extension: (IRC QuakeNet webchat) - C:\Users\Tobias\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhaphniflbbhhfailihfckiifpbgeokd [2014-03-18]
CHR Extension: (AdBlock) - C:\Users\Tobias\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-02-03]
CHR Extension: (ProxMate - Proxy on steroids!) - C:\Users\Tobias\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgjpnmnpjmabddgmjdiaggacbololbjm [2013-04-13]
CHR Extension: (Stealthy) - C:\Users\Tobias\AppData\Local\Google\Chrome\User Data\Default\Extensions\ieaebnkibonmpbhdaanjkmedikadnoje [2014-05-15]
CHR Extension: (Google Wallet) - C:\Users\Tobias\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-26]
CHR HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\Chrome\Extension: [cnnbdaahphjgdgfhliignpepgnbnfomp] - c:\program files (x86)\copernic\desktopsearch4\ChromeConnector\ChromeConnector.crx [2013-10-22]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [409304 2014-10-08] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [388824 2014-10-08] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [782040 2014-10-08] (BlueStack Systems, Inc.)
R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [7618952 2014-12-09] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2265304 2014-12-09] (COMODO)
R3 Disc Soft Bus Service; C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe [723192 2013-11-14] (Disc Soft Ltd)
S2 MAGIX StartUp Analyze Service; C:\Program Files (x86)\MAGIX\PC_Check_Tuning_Free_2011\MXSAS.exe [186368 2010-11-04] (MAGIX AG) [File not signed]
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1494304 2013-12-10] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [15129376 2013-12-10] (NVIDIA Corporation)
S3 OverwolfUpdater; C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [998640 2014-12-29] (Overwolf LTD)
R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR)
R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR)
R2 RzOvlMon; C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe [32960 2014-04-18] (Razer, Inc.)
S3 TunngleService; C:\Program Files (x86)\Tunngle\TnglCtrl.exe [762320 2014-11-04] (Tunngle.net GmbH)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [122072 2014-10-08] (BlueStack Systems)
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [20184 2014-12-09] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [792648 2014-12-09] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [45880 2014-12-09] (COMODO)
R3 dtscsibus; C:\Windows\System32\DRIVERS\dtscsibus.sys [29696 2014-04-18] (Disc Soft Ltd)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [104608 2014-12-09] (COMODO)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-01-08] (Malwarebytes Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-12-05] (NVIDIA Corporation)
S3 RTL8023x64; C:\Windows\System32\DRIVERS\Rtnic64.sys [51712 2009-06-10] (Realtek Semiconductor Corporation                           )
R3 RzDxgk; C:\Windows\system32\drivers\RzDxgk.sys [129472 2014-04-10] (Razer, Inc.)
R1 RzFilter; C:\Windows\system32\drivers\RzFilter.sys [74432 2014-04-10] (Razer, Inc.)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [16152 2014-01-13] ()
R3 tap0901t; C:\Windows\System32\DRIVERS\tap0901t.sys [31232 2009-09-16] (Tunngle.net)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-08 15:13 - 2015-01-08 15:13 - 00000000 ____D () C:\ProgramData\Wondershare
2015-01-08 15:10 - 2015-01-08 15:10 - 00000000 ____D () C:\Users\Tobias\AppData\Roaming\HMYGSetting
2015-01-08 15:10 - 2015-01-08 15:10 - 00000000 ____D () C:\Users\Tobias\AppData\Local\Wondershare
2015-01-08 15:09 - 2015-01-08 15:09 - 00002041 _____ () C:\Users\Public\Desktop\Wondershare TunesGo.lnk
2015-01-08 15:09 - 2015-01-08 15:09 - 00000000 ____D () C:\Users\Tobias\AppData\Roaming\Wondershare
2015-01-08 15:09 - 2015-01-08 15:09 - 00000000 ____D () C:\Users\Tobias\.android
2015-01-08 15:09 - 2015-01-08 15:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare
2015-01-08 15:09 - 2015-01-08 15:09 - 00000000 ____D () C:\Program Files (x86)\Wondershare
2015-01-08 14:42 - 2015-01-08 14:42 - 01233827 _____ () C:\Users\Tobias\Desktop\GMER.log
2015-01-08 14:13 - 2015-01-08 14:13 - 00290808 _____ () C:\Windows\Minidump\010815-23400-01.dmp
2015-01-08 00:39 - 2015-01-08 00:39 - 00019039 _____ () C:\Users\Tobias\Downloads\Versuch-21.odt
2015-01-07 18:38 - 2015-01-07 18:39 - 00046379 _____ () C:\Users\Tobias\Desktop\Addition.txt
2015-01-07 18:37 - 2015-01-07 18:37 - 00380416 _____ () C:\Users\Tobias\Desktop\o5lw8g6g.exe
2015-01-07 18:36 - 2015-01-08 16:38 - 00022563 _____ () C:\Users\Tobias\Desktop\FRST.txt
2015-01-07 18:36 - 2015-01-08 16:38 - 00000000 ____D () C:\FRST
2015-01-07 18:35 - 2015-01-07 18:35 - 02124288 _____ (Farbar) C:\Users\Tobias\Desktop\FRST64.exe
2015-01-07 18:34 - 2015-01-08 16:36 - 00000474 _____ () C:\Users\Tobias\Desktop\defogger_disable.log
2015-01-07 18:34 - 2015-01-07 18:34 - 00000000 _____ () C:\Users\Tobias\defogger_reenable
2015-01-07 18:16 - 2015-01-07 18:16 - 00050477 _____ () C:\Users\Tobias\Desktop\Defogger.exe
2015-01-07 17:57 - 2015-01-07 17:57 - 00001102 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2015-01-07 17:31 - 2015-01-07 17:32 - 39544000 _____ (Wondershare ) C:\Users\Tobias\Downloads\TunesGoforAndroid.exe
2015-01-07 17:15 - 2015-01-07 17:15 - 00000000 ____D () C:\ProgramData\Samsung
2015-01-07 17:10 - 2015-01-07 17:15 - 00000000 ____D () C:\Users\Tobias\Documents\samsung
2015-01-07 17:10 - 2015-01-07 17:10 - 00000000 ____D () C:\Users\Tobias\Documents\SelfMV
2015-01-07 17:10 - 2015-01-07 17:10 - 00000000 ____D () C:\Users\Public\Documents\NativeFus_Log
2015-01-07 17:09 - 2015-01-07 17:10 - 00000000 ____D () C:\Users\Tobias\AppData\Roaming\Samsung
2015-01-07 17:09 - 2015-01-07 17:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung
2015-01-07 17:09 - 2015-01-07 17:09 - 00000000 ____D () C:\Program Files (x86)\Samsung
2015-01-07 17:09 - 2014-05-07 17:42 - 00144664 _____ (MAPILab Ltd. & Add-in Express Ltd.) C:\Windows\SysWOW64\secman.dll
2015-01-07 16:59 - 2015-01-07 16:59 - 42424368 _____ (Samsung Electronics Co., Ltd.) C:\Users\Tobias\Downloads\Kies_3.2.14113_3.exe
2015-01-04 10:55 - 2015-01-04 10:55 - 01052536 _____ () C:\Windows\Minidump\010415-30217-01.dmp
2015-01-04 10:54 - 2015-01-08 14:12 - 506874316 _____ () C:\Windows\MEMORY.DMP
2014-12-22 23:33 - 2014-12-26 23:30 - 00000000 ____D () C:\ProgramData\Tunngle
2014-12-22 23:33 - 2014-12-22 23:33 - 00000000 ____D () C:\Users\Public\Documents\Tunngle
2014-12-22 23:33 - 2014-12-22 23:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tunngle
2014-12-22 23:31 - 2014-12-22 23:31 - 04501720 _____ (Tunngle.net GmbH ) C:\Users\Tobias\Downloads\Tunngle_Setup_v5.0 (1).exe
2014-12-22 23:30 - 2014-12-22 23:30 - 04501720 _____ (Tunngle.net GmbH ) C:\Users\Tobias\Downloads\Tunngle_Setup_v5.0.exe
2014-12-22 21:07 - 2014-12-22 23:34 - 00000000 ____D () C:\Program Files (x86)\Mozilla Thunderbird
2014-12-21 09:48 - 2014-12-21 09:48 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-21 09:48 - 2014-12-21 09:48 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-12-21 00:56 - 2014-12-21 00:56 - 00000000 ____D () C:\Windows\system32\appraiser
2014-12-20 11:13 - 2014-12-20 11:13 - 00297226 _____ () C:\Windows\msxml4-KB954430-enu.LOG
2014-12-20 11:13 - 2014-12-20 11:13 - 00297222 _____ () C:\Windows\msxml4-KB973688-enu.LOG
2014-12-20 11:13 - 2014-12-20 11:13 - 00000000 ____D () C:\Program Files (x86)\MSXML 4.0
2014-12-20 11:11 - 2014-10-18 03:05 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2014-12-20 11:11 - 2014-10-18 02:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2014-12-20 11:11 - 2014-07-07 03:06 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2014-12-20 11:11 - 2014-07-07 03:06 - 00055808 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe
2014-12-20 11:11 - 2014-07-07 03:06 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe
2014-12-20 11:11 - 2014-07-07 03:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll
2014-12-20 11:11 - 2014-07-07 02:40 - 00103424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfps.dll
2014-12-20 11:11 - 2014-07-07 02:39 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rrinstaller.exe
2014-12-20 11:11 - 2014-07-07 02:39 - 00023040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfpmp.exe
2014-12-20 11:11 - 2014-07-07 02:37 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mferror.dll
2014-12-19 14:58 - 2014-12-19 15:02 - 00000000 ____D () C:\Users\Tobias\Downloads\D&D 5e books
2014-12-19 14:56 - 2014-12-19 14:56 - 00015892 _____ () C:\Users\Tobias\Downloads\[kickass.so]d.d.5e.player.s.handbook.monster.manual.adventure.lost.mine.of.phandelver.torrent
2014-12-19 02:50 - 2014-12-26 18:38 - 00000000 ____D () C:\Users\Tobias\AppData\Roaming\NCH Software
2014-12-19 02:50 - 2014-12-26 18:17 - 00000000 ____D () C:\Windows\System32\Tasks\NCH Software
2014-12-19 02:50 - 2014-12-19 02:50 - 00001236 _____ () C:\Users\Public\Desktop\NCH Suite.lnk
2014-12-19 02:50 - 2014-12-19 02:50 - 00001122 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debut Video Capture Software.lnk
2014-12-19 02:50 - 2014-12-19 02:50 - 00001110 _____ () C:\Users\Public\Desktop\Debut Video Capture Software.lnk
2014-12-19 02:50 - 2014-12-19 02:50 - 00000000 ____D () C:\ProgramData\NCH Software
2014-12-19 02:50 - 2014-12-19 02:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite
2014-12-19 02:50 - 2014-12-19 02:50 - 00000000 ____D () C:\Program Files (x86)\NCH Software
2014-12-16 21:53 - 2014-12-17 10:53 - 00001197 _____ () C:\Users\Tobias\Desktop\rap.txt
2014-12-15 01:33 - 2014-12-15 01:33 - 00000000 ____D () C:\Users\Tobias\AppData\Roaming\MAGIX
2014-12-15 01:14 - 2015-01-08 15:42 - 00000440 _____ () C:\Windows\Tasks\PCCT - MAGIX AG.job
2014-12-15 01:14 - 2014-12-15 01:14 - 00002828 _____ () C:\Windows\System32\Tasks\PCCT - MAGIX AG
2014-12-15 01:14 - 2014-12-15 01:14 - 00000000 ____D () C:\Users\Tobias\Documents\OnDemandDump
2014-12-15 01:14 - 2014-12-15 01:14 - 00000000 ____D () C:\Users\Tobias\Documents\MAGIX_MxTray
2014-12-15 01:14 - 2014-12-15 01:14 - 00000000 ____D () C:\Users\Tobias\Documents\CrashLog
2014-12-15 01:13 - 2014-12-15 01:33 - 00000000 ____D () C:\ProgramData\MAGIX
2014-12-15 01:13 - 2014-12-15 01:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MAGIX
2014-12-15 01:13 - 2014-12-15 01:13 - 00000000 ____D () C:\Program Files (x86)\MAGIX
2014-12-15 01:09 - 2014-12-15 01:09 - 41085024 _____ (MAGIX AG) C:\Users\Tobias\Downloads\setup_pc_check_tuning.exe
2014-12-14 23:12 - 2014-12-14 23:15 - 00023362 _____ () C:\Users\Tobias\Desktop\SB2 AUFGABE3.odt
2014-12-11 02:36 - 2014-12-04 03:50 - 00830976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2014-12-11 02:36 - 2014-12-04 03:50 - 00741376 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2014-12-11 02:36 - 2014-12-04 03:50 - 00413184 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-12-11 02:36 - 2014-12-04 03:50 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2014-12-11 02:36 - 2014-12-04 03:50 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-12-11 02:36 - 2014-12-04 03:50 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2014-12-11 02:36 - 2014-12-04 03:44 - 01083392 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-12-11 02:36 - 2014-12-02 00:28 - 01232040 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2014-12-11 02:35 - 2014-11-27 02:43 - 00389296 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-12-11 02:35 - 2014-11-27 02:10 - 00342200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-12-11 02:35 - 2014-11-22 04:13 - 25059840 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-12-11 02:35 - 2014-11-22 04:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-12-11 02:35 - 2014-11-22 04:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-12-11 02:35 - 2014-11-22 03:50 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-12-11 02:35 - 2014-11-22 03:50 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-12-11 02:35 - 2014-11-22 03:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-12-11 02:35 - 2014-11-22 03:49 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-12-11 02:35 - 2014-11-22 03:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-12-11 02:35 - 2014-11-22 03:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-12-11 02:35 - 2014-11-22 03:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-12-11 02:35 - 2014-11-22 03:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-12-11 02:35 - 2014-11-22 03:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-12-11 02:35 - 2014-11-22 03:34 - 06039552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-12-11 02:35 - 2014-11-22 03:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-12-11 02:35 - 2014-11-22 03:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-12-11 02:35 - 2014-11-22 03:22 - 19749376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-12-11 02:35 - 2014-11-22 03:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-12-11 02:35 - 2014-11-22 03:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-12-11 02:35 - 2014-11-22 03:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-12-11 02:35 - 2014-11-22 03:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-12-11 02:35 - 2014-11-22 03:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-12-11 02:35 - 2014-11-22 03:07 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-12-11 02:35 - 2014-11-22 03:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-12-11 02:35 - 2014-11-22 03:06 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-12-11 02:35 - 2014-11-22 03:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-12-11 02:35 - 2014-11-22 03:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-12-11 02:35 - 2014-11-22 03:01 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-12-11 02:35 - 2014-11-22 02:59 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-12-11 02:35 - 2014-11-22 02:58 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-12-11 02:35 - 2014-11-22 02:56 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-12-11 02:35 - 2014-11-22 02:54 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-12-11 02:35 - 2014-11-22 02:49 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-12-11 02:35 - 2014-11-22 02:49 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-12-11 02:35 - 2014-11-22 02:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-12-11 02:35 - 2014-11-22 02:46 - 02125312 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-12-11 02:35 - 2014-11-22 02:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-12-11 02:35 - 2014-11-22 02:43 - 14412800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-12-11 02:35 - 2014-11-22 02:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-12-11 02:35 - 2014-11-22 02:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-12-11 02:35 - 2014-11-22 02:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-12-11 02:35 - 2014-11-22 02:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-12-11 02:35 - 2014-11-22 02:29 - 04299264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-12-11 02:35 - 2014-11-22 02:28 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-12-11 02:35 - 2014-11-22 02:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-12-11 02:35 - 2014-11-22 02:22 - 02052096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-12-11 02:35 - 2014-11-22 02:21 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-12-11 02:35 - 2014-11-22 02:15 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-12-11 02:35 - 2014-11-22 02:13 - 12836864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-12-11 02:35 - 2014-11-22 02:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-12-11 02:35 - 2014-11-22 02:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-12-11 02:35 - 2014-11-22 01:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-12-11 02:35 - 2014-11-22 01:54 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-12-11 02:35 - 2014-11-11 04:09 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-12-11 02:35 - 2014-11-11 03:44 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-12-11 02:35 - 2014-11-11 02:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2014-12-11 02:34 - 2014-11-08 04:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-12-11 02:34 - 2014-11-08 03:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-12-11 02:34 - 2014-10-30 03:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe
2014-12-11 02:34 - 2014-10-30 02:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe
2014-12-11 02:34 - 2014-10-03 03:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2014-12-11 02:34 - 2014-10-03 03:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll
2014-12-11 02:34 - 2014-10-03 03:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2014-12-11 02:34 - 2014-10-03 03:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll
2014-12-11 02:34 - 2014-10-03 03:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe
2014-12-11 02:34 - 2014-10-03 02:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2014-12-11 02:34 - 2014-10-03 02:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll
2014-12-11 02:34 - 2014-10-03 02:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2014-12-11 02:34 - 2014-10-03 02:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll
2014-12-11 02:34 - 2014-10-03 02:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe
2014-12-11 00:56 - 2014-12-11 00:57 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-12-09 22:27 - 2014-12-09 22:27 - 03981488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-08 16:37 - 2012-08-21 02:32 - 01474832 _____ () C:\Windows\system32\Drivers\sfi.dat
2015-01-08 16:35 - 2012-08-21 00:32 - 00001124 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2764848105-337601815-2700051401-1000UA.job
2015-01-08 16:27 - 2013-11-12 15:45 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-08 16:07 - 2012-08-21 03:02 - 00000932 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2764848105-337601815-2700051401-1000UA.job
2015-01-08 15:54 - 2014-07-14 01:19 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-08 15:50 - 2009-07-14 05:45 - 00027888 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-08 15:50 - 2009-07-14 05:45 - 00027888 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-08 15:46 - 2012-08-20 23:57 - 01413989 _____ () C:\Windows\WindowsUpdate.log
2015-01-08 15:44 - 2014-04-27 14:00 - 00038426 _____ () C:\Windows\setupact.log
2015-01-08 15:42 - 2012-11-07 19:17 - 00000000 ___RD () C:\Users\Tobias\Dropbox
2015-01-08 15:39 - 2012-11-07 19:14 - 00000000 ____D () C:\Users\Tobias\AppData\Roaming\Dropbox
2015-01-08 15:38 - 2012-08-21 00:39 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-01-08 15:38 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-08 15:10 - 2014-10-20 19:21 - 00000000 ____D () C:\Program Files (x86)\iTunes
2015-01-08 15:09 - 2012-08-21 00:22 - 00000000 ____D () C:\Users\Tobias
2015-01-08 14:13 - 2014-06-13 19:33 - 00000000 ____D () C:\Windows\Minidump
2015-01-08 14:02 - 2014-07-30 20:05 - 00592370 _____ () C:\Windows\system32\Drivers\fvstore.dat
2015-01-08 14:02 - 2012-08-21 03:51 - 00000000 ____D () C:\Users\Tobias\AppData\Roaming\Skype
2015-01-08 13:17 - 2012-08-21 03:02 - 00000910 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2764848105-337601815-2700051401-1000Core.job
2015-01-07 23:52 - 2012-08-21 19:59 - 00000000 ____D () C:\Users\Tobias\AppData\Roaming\TS3Client
2015-01-07 22:35 - 2012-08-21 00:32 - 00001072 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2764848105-337601815-2700051401-1000Core.job
2015-01-07 22:29 - 2014-11-02 13:37 - 00020491 _____ () C:\Users\Tobias\Downloads\Bartholomäus.ods
2015-01-07 17:57 - 2014-07-14 01:19 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-07 17:57 - 2014-07-14 01:19 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-07 17:57 - 2014-07-14 01:19 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-07 17:57 - 2014-07-14 01:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 
2015-01-07 17:57 - 2014-07-14 01:19 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 
2015-01-07 17:09 - 2012-08-24 18:39 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-01-06 21:21 - 2014-02-23 11:45 - 00000000 ____D () C:\Program Files (x86)\Overwolf
2015-01-04 10:55 - 2009-07-14 05:45 - 00309736 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-04 10:54 - 2012-10-12 13:12 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-01 23:53 - 2014-04-08 12:53 - 00000000 ____D () C:\The KMPlayer
2014-12-26 22:22 - 2014-04-07 18:25 - 00000000 ____D () C:\Users\Tobias\AppData\Local\Paint.NET
2014-12-26 18:34 - 2012-08-21 00:32 - 00067200 _____ () C:\Users\Tobias\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-26 11:27 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache
2014-12-24 15:13 - 2012-08-21 03:52 - 00000000 ____D () C:\Users\Tobias\AppData\Local\Thunderbird
2014-12-23 00:00 - 2012-09-26 22:32 - 00219136 ___SH () C:\Users\Tobias\Thumbs.db
2014-12-22 23:33 - 2014-03-26 23:04 - 00000000 ____D () C:\Program Files (x86)\Tunngle
2014-12-22 23:33 - 2014-03-25 17:45 - 00000000 ____D () C:\Users\Tobias\AppData\Roaming\Tunngle
2014-12-22 23:20 - 2012-08-22 19:18 - 00000000 ____D () C:\Users\Tobias\AppData\Roaming\vlc
2014-12-21 01:26 - 2012-08-23 00:00 - 00000000 ____D () C:\Users\Tobias\AppData\Local\Adobe
2014-12-21 01:17 - 2013-11-12 15:45 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-12-21 01:17 - 2013-02-09 22:21 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-12-21 01:17 - 2013-02-09 22:21 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-12-21 00:56 - 2014-06-14 07:38 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-12-21 00:56 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-12-21 00:56 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\AppCompat
2014-12-20 11:20 - 2013-08-15 00:57 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-20 11:13 - 2012-08-21 15:18 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-12-19 20:35 - 2014-04-18 20:00 - 00000000 ____D () C:\Users\Tobias\AppData\Roaming\uTorrent
2014-12-19 14:56 - 2014-11-29 20:04 - 00000000 ____D () C:\Users\Tobias\AppData\Roaming\.ACEStream
2014-12-16 22:02 - 2014-11-29 20:06 - 00000000 ___HD () C:\_acestream_cache_
2014-12-15 08:56 - 2012-08-21 02:04 - 00203226 _____ () C:\Windows\PFRO.log
2014-12-13 20:44 - 2012-11-07 19:17 - 00001021 _____ () C:\Users\Tobias\Desktop\Dropbox.lnk
2014-12-13 20:44 - 2012-11-07 19:15 - 00000000 ____D () C:\Users\Tobias\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-12-12 11:12 - 2014-05-15 12:25 - 00000000 ____D () C:\Windows\System32\Tasks\COMODO
2014-12-12 10:42 - 2009-07-14 18:58 - 00801286 _____ () C:\Windows\system32\perfh007.dat
2014-12-12 10:42 - 2009-07-14 18:58 - 00206086 _____ () C:\Windows\system32\perfc007.dat
2014-12-11 20:14 - 2014-09-22 10:14 - 00000000 ____D () C:\Users\Tobias\.maptool
2014-12-09 01:20 - 2014-05-15 12:24 - 00354520 _____ (COMODO) C:\Windows\system32\cmdvrt64.dll
2014-12-09 01:20 - 2014-05-15 12:24 - 00286424 _____ (COMODO) C:\Windows\SysWOW64\cmdvrt32.dll
2014-12-09 01:20 - 2014-05-15 12:24 - 00045784 _____ (COMODO) C:\Windows\system32\cmdkbd64.dll
2014-12-09 01:20 - 2014-05-15 12:24 - 00040664 _____ (COMODO) C:\Windows\SysWOW64\cmdkbd32.dll
2014-12-09 01:20 - 2012-03-11 20:13 - 00792648 _____ (COMODO) C:\Windows\system32\Drivers\cmdGuard.sys
2014-12-09 01:20 - 2012-03-11 20:13 - 00437792 _____ (COMODO) C:\Windows\system32\guard64.dll
2014-12-09 01:20 - 2012-03-11 20:13 - 00352272 _____ (COMODO) C:\Windows\SysWOW64\guard32.dll
2014-12-09 01:20 - 2012-03-11 20:13 - 00045880 _____ (COMODO) C:\Windows\system32\Drivers\cmdhlp.sys
2014-12-09 01:20 - 2012-03-11 20:13 - 00040736 _____ (COMODO) C:\Windows\system32\cmdcsr.dll
2014-12-09 01:20 - 2012-03-11 20:13 - 00020184 _____ (COMODO) C:\Windows\system32\Drivers\cmderd.sys
2014-12-09 01:20 - 2012-02-03 18:27 - 00104608 _____ (COMODO) C:\Windows\system32\Drivers\inspect.sys

Some content of TEMP:
====================
C:\Users\Tobias\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpzydbqv.dll
C:\Users\Tobias\AppData\Local\Temp\_is4603.exe
C:\Users\Tobias\AppData\Local\Temp\_isC729.exe
C:\Users\Tobias\AppData\Local\Temp\_isEDD.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-04 11:50

==================== End Of Log ============================

--- --- ---

--- --- ---

Code:

ATTFilter

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-01-2015
Ran by Tobias at 2015-01-08 16:38:56
Running from C:\Users\Tobias\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: COMODO Antivirus (Enabled - Up to date) {F0BC89B2-8937-0933-021B-B17D981F2A71}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Comodo Defense+ (Enabled - Up to date) {4BDD6856-AF0D-06BD-38AB-8A0FE39860CC}
FW: COMODO Firewall (Disabled) {C8870897-C358-086B-2944-184866CC6D0A}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\uTorrent) (Version: 3.4.2.35702 - BitTorrent Inc.)
Ace Stream Media 3.0.4 (HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\AceStream) (Version: 3.0.4 - Ace Stream Media)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Adobe Reader X (10.1.8) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AA1000000001}) (Version: 10.1.8 - Adobe Systems Incorporated)
A-PDF INFO Changer 2.0 (HKLM-x32\...\A-PDF INFO Changer_is1) (Version:  - A-PDF.com)
Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Ashampoo Photo Optimizer 5 v.5.1.1 (HKLM-x32\...\Ashampoo Photo Optimizer 5_is1) (Version: 5.1.1 - Ashampoo GmbH & Co. KG)
BASE 5.5 (HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\BASE 5.5) (Version:  - )
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
BitTorrent (HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\BitTorrent) (Version: 7.9.2.32692 - BitTorrent Inc.)
BlueStacks App Player (HKLM-x32\...\BlueStacks App Player) (Version: 0.9.4.4079 - BlueStack Systems, Inc.)
BlueStacks Notification Center (HKLM-x32\...\{8DCCC556-265B-478A-8B32-C12DA988BA74}) (Version: 0.9.4.4079 - BlueStack Systems, Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Codecs for Windows 7 Pack 4.0.5 (HKLM-x32\...\Codecs for Windows 7 Pack) (Version: 4.0.5 - Codecs for Windows 7 Pack)
COMODO Internet Security (HKLM\...\{D6AB1F5B-FED6-49A9-9747-327BD28FB3C7}) (Version: 5.10.31649.2253 - COMODO Security Solutions Inc.)
Copernic Desktop Search 4 (HKLM-x32\...\CopernicDesktopSearch4) (Version: 4.0.2.1085 - Copernic Inc.)
Copernic Desktop Search 4 (x32 Version: 4.0.2.1085 - Copernic Inc.) Hidden
CPUID CPU-Z 1.66.1 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
d20Pro (HKLM-x32\...\d20Pro) (Version:  - )
DAEMON Tools Ultra (HKLM-x32\...\DAEMON Tools Ultra) (Version: 2.1.0.0187 - Disc Soft Ltd)
DAoC Portal (HKLM-x32\...\{EC9359B3-2548-4DB1-B322-6D71A17501F9}) (Version: 2.8.2 - Dawn of Light)
DAOC-Charplan (HKLM-x32\...\DAOCCharplan) (Version:  - )
Dark Age of Camelot (HKLM-x32\...\Dark Age of Camelot) (Version:  - Electronic Arts)
Debut Video Capture Software (HKLM-x32\...\Debut) (Version: 2.05 - NCH Software)
DisplayFusion 4.1 (HKLM-x32\...\B076073A-5527-4f4f-B46B-B10692277DA2_is1) (Version: 4.1.0.0 - Binary Fortress Software)
DivX-Setup (HKLM-x32\...\DivX Setup) (Version: 2.6.1.90 - DivX, LLC)
Dropbox (HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\Dropbox) (Version: 3.0.3 - Dropbox, Inc.)
EroBottle 4.6  (HKLM-x32\...\EroBottle) (Version: 4.6 - Kai Ebersbach - www.erosoft.de)
EroBottle-Extensions-Editor Vers. 1.4 (HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\EroBottle-Extensions-Editor Vers. 1.4) (Version:  - )
Evernote v. 5.6.4 (HKLM-x32\...\{DFDF0BE2-2D71-11E4-9454-00163E98E7D6}) (Version: 5.6.4.4632 - Evernote Corp.)
Facebook Video Calling 1.2.0.287 (HKLM-x32\...\{B92C5909-1D37-4C51-8397-A28BB28E5DC3}) (Version: 1.2.287 - Skype Limited)
Fraps (remove only) (HKLM-x32\...\Fraps) (Version:  - )
GeForce Experience NvStream Client Components (Version: 1.6.28 - NVIDIA Corporation) Hidden
Genesis version Genesis Launcher 1.005 (HKLM-x32\...\{975e7799-c584-47f0-9c12-c1551f3e95f2}_is1) (Version: Genesis Launcher 1.005 - Pawel D. alias Laplume for Genesis.)
Google Chrome (HKU\S-1-5-21-2764848105-337601815-2700051401-1000\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Chrome (HKU\S-1-5-21-2764848105-337601815-2700051401-1003\...\Google Chrome) (Version: 21.0.1180.83 - Google Inc.)
Google Talk Plugin (HKLM-x32\...\{0C5C1177-94C5-3EFB-A8BE-3F6AF1AF887F}) (Version: 5.38.6.0 - Google)
Hearthstone (HKLM-x32\...\Hearthstone) (Version:  - Blizzard Entertainment)
Hero Lab 4.1 (HKLM-x32\...\{760AA190-82DF-4A80-BE05-B9FEEC88946D}_is1) (Version: 4.1 - LWD Technology, Inc.)
iCloud (HKLM\...\{81E20D41-C277-4526-934D-F2380AF91B78}) (Version: 3.1.0.40 - Apple Inc.)
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
Java 7 Update 67 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.670 - Oracle)
JDownloader 0.9 (HKLM-x32\...\5513-1208-7298-9440) (Version: 0.9 - AppWork GmbH)
JMicron JMB36X Driver (HKLM-x32\...\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}) (Version: 1.17.65.11 - JMicron Technology Corp.)
Logitech Gaming Software 8.30 (HKLM\...\Logitech Gaming Software) (Version: 8.30.86 - Logitech Inc.)
LogMeIn Hamachi (HKLM-x32\...\LogMeIn Hamachi) (Version: 2.2.0.58 - LogMeIn, Inc.)
LogMeIn Hamachi (x32 Version: 2.2.0.58 - LogMeIn, Inc.) Hidden
MAGIX PC Check & Tuning Free 2011 (HKLM-x32\...\MAGIX_MSI_PC_Check_Tuning_Free_2011) (Version: 6.0.403.1050 - MAGIX AG)
MAGIX PC Check & Tuning Free 2011 (x32 Version: 6.0.403.1050 - MAGIX AG) Hidden
MAGIX Screenshare (HKLM-x32\...\{B63DFA23-5C10-44B4-881D-45EFBF4A4761}) (Version: 4.3.6.1987 - MAGIX AG)
Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MiKTeX 2.9 (HKLM-x32\...\MiKTeX 2.9) (Version: 2.9 - MiKTeX.org)
Mora's Ausrüstungsplaner (HKLM-x32\...\{8A33CE67-80FB-4469-9ED1-E5D116391F68}_is1) (Version: 1.72 - Mora)
MorphVOX Junior (HKLM-x32\...\{E6C7380F-15DD-445E-BA02-B7A180BA0A5A}) (Version: 2.8.1 - Screaming Bee)
Mozilla Firefox 34.0.5 (x86 de) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 de)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 30.0 - Mozilla)
Mozilla Thunderbird 31.3.0 (x86 de) (HKLM-x32\...\Mozilla Thunderbird 31.3.0 (x86 de)) (Version: 31.3.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NEF Codec (HKLM-x32\...\{D6506521-0959-4FA3-875F-E2E28830B0D2}) (Version: 1.00.0000 - Nikon)
NSU (HKLM-x32\...\{323F7AD9-1F4D-49E1-973B-80E1B6F1623A}) (Version: 1.00.1000 - Medion AG)
NVIDIA 3D Vision Controller-Treiber 334.89 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 334.89 - NVIDIA Corporation)
NVIDIA 3D Vision Treiber 334.89 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 334.89 - NVIDIA Corporation)
NVIDIA GeForce Experience 1.8.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 1.8.1 - NVIDIA Corporation)
NVIDIA Grafiktreiber 334.89 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 334.89 - NVIDIA Corporation)
NVIDIA HD-Audiotreiber 1.3.30.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.30.1 - NVIDIA Corporation)
NVIDIA PhysX-Systemsoftware 9.13.1220 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.1220 - NVIDIA Corporation)
NVIDIA Virtual Audio 1.2.19 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_VirtualAudio.Driver) (Version: 1.2.19 - NVIDIA Corporation)
OpenOffice.org 3.4.1 (HKLM-x32\...\{2303AEEA-0FA8-4AFD-80A9-8F86BA4B44D2}) (Version: 3.41.9593 - Apache Software Foundation)
Overwolf (HKLM-x32\...\Overwolf) (Version: 0.82.103.0 - Overwolf Ltd.)
Paint.NET v3.5.11 (HKLM\...\{72EF03F5-0507-4861-9A44-D99FD4C41418}) (Version: 3.61.0 - dotPDN LLC)
Patch Origins version 1.0.11 (HKLM-x32\...\{75147b12-6219-448d-886b-0a9a02d1e648}_is1) (Version: 1.0.11 - Pawel D. alias Laplume pour Origins.)
PCGen6000 (HKLM-x32\...\PCGen6000) (Version:  - )
PDF Architect (HKLM-x32\...\{80A07844-CA64-4DE4-AB61-D37DDBE8074F}) (Version: 1.0.52.8917 - pdfforge)
PDFCreator (HKLM-x32\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.6.2 - pdfforge)
QuickTime (HKLM-x32\...\{7BE15435-2D3E-4B58-867F-9C75BED0208C}) (Version: 7.71.80.42 - Apple Inc.)
RarZilla Free Unrar (HKLM-x32\...\RarZilla Free Unrar) (Version: 4.80 - Philipp Winterberg)
Razer Core (HKLM-x32\...\Razer Core) (Version: 1.0.1.66 - Razer Inc)
Razer Synapse 2.0 (HKLM-x32\...\{0D78BEE2-F8FF-4498-AF1A-3FF81CED8AC6}) (Version: 1.17.22 - Razer Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7083 - Realtek Semiconductor Corp.)
Samsung Kies3 (HKLM-x32\...\InstallShield_{88547073-C566-4895-9005-EBE98EA3F7C7}) (Version: 3.2.14113.3 - Samsung Electronics Co., Ltd.)
Samsung Kies3 (x32 Version: 3.2.14113.3 - Samsung Electronics Co., Ltd.) Hidden
Scrabble3D (HKLM-x32\...\{E11BBF69-C686-45B3-9267-CE44603B47AE}) (Version: 3.1.0.29 - Heiko Tietze)
SHIELD Streaming (Version: 1.6.85 - NVIDIA Corporation) Hidden
Sid Meier's Civilization 4 - Beyond the Sword (HKLM-x32\...\{32E4F0D2-C135-475E-A841-1D59A0D22989}) (Version: 3.19 - Firaxis Games)
Sid Meier's Civilization 4 - Warlords (HKLM-x32\...\{3E4B349F-10B5-4586-9D99-489A90A8B228}) (Version: 2.13 - Firaxis Games)
Sid Meier's Civilization 4 (HKLM-x32\...\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}) (Version: 1.74 - Firaxis Games)
Sid Meier's Civilization 4 (x32 Version: 1.00.0000 - Firaxis Games) Hidden
SimilarWeb (HKLM-x32\...\SimilarWeb) (Version: 0.0.0.1 - SimilarWeb) <==== ATTENTION!
Skype™ 6.21 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.21.104 - Skype Technologies S.A.)
SlimDrivers (HKLM-x32\...\{A5457401-D56A-43F2-9524-78E54A7FC07A}) (Version: 2.2.32705 - SlimWare Utilities, Inc.)
Steam (HKLM-x32\...\Steam) (Version:  - Valve Corporation)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.16 - TeamSpeak Systems GmbH)
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.27339 - TeamViewer)
TeXstudio 2.6.6 (HKLM-x32\...\TeXstudio_is1) (Version: 2.6.6 - Benito van der Zander)
The Elder Scrolls V: Skyrim (HKLM-x32\...\Steam App 72850) (Version:  - Bethesda Game Studios)
The KMPlayer (HKLM-x32\...\The KMPlayer) (Version: 3.8.0.122 - PandoraTV)
ThrashIRC version 2.9 (HKLM-x32\...\{D3C0BE0C-9761-4AC1-8CEF-B53796FEDE44}) (Version: 2.9.0 - Anthony Thrash Durbin)
TuneUp Utilities Language Pack (de-DE) (x32 Version: 13.0.3000.132 - TuneUp Software) Hidden
Tunngle Version Tunngle (HKLM-x32\...\Tunngle_is1) (Version: Tunngle - Tunngle.net GmbH)
VC80CRTRedist - 8.0.50727.6195 (x32 Version: 1.2.0 - DivX, Inc) Hidden
VirtualCloneDrive (HKLM-x32\...\VirtualCloneDrive) (Version: 5.4.7.0 - Elaborate Bytes)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
Wondershare TunesGo(Version 5.0.0) (HKLM-x32\...\{ADBA24FE-D6F6-4B21-97F3-D58A327422E4}_is1) (Version: 5.0.0 - Wondershare)
x264vfw - H.264/MPEG-4 AVC codec (remove only) (HKLM-x32\...\x264vfw) (Version:  - )
Zune (HKLM\...\Zune) (Version: 04.08.2345.00 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Tobias\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Tobias\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Tobias\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Tobias\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Tobias\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Tobias\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Tobias\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Tobias\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Tobias\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Tobias\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Tobias\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Tobias\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Tobias\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2764848105-337601815-2700051401-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Tobias\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File

==================== Restore Points  =========================

18-12-2014 20:10:55 Geplanter Prüfpunkt
20-12-2014 11:09:53 Windows Update
21-12-2014 01:02:22 MAGIX Treiberinstallation
Chipset Device Software for G41 Express Chipset
21-12-2014 01:05:16 MAGIX Treiberinstallation
INF Update Utility 9.2.0.1025
21-12-2014 10:47:46 Windows Update
22-12-2014 19:39:08 MAGIX Treiberinstallation
Chipset Device Software for G41 Express Chipset
22-12-2014 20:07:28 MAGIX Treiberinstallation
INF Update Utility 9.2.0.1025
22-12-2014 23:32:29 Tunngle 5.0 Setup
04-01-2015 11:59:21 Geplanter Prüfpunkt
07-01-2015 17:08:45 Installed Samsung Kies3
08-01-2015 15:17:16 Gerätetreiber-Paketinstallation: Google, Inc.

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2009-06-10 22:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {014230B5-5CE6-461C-AD51-89D7F403E9DC} - \Hoolapp For Android No Task File <==== ATTENTION
Task: {06869D83-2559-47D9-BB69-9127BB5F81B8} - \Hoolapp Init No Task File <==== ATTENTION
Task: {0ACE5948-49B8-4051-B091-2D7731DAB0AF} - System32\Tasks\COMODO\COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10} => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [2014-12-09] (COMODO)
Task: {1F4CE6EE-F11B-4D45-BD80-648A7AE51668} - System32\Tasks\COMODO\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-09] (COMODO)
Task: {2149ACB9-406A-4799-B03D-E464744C55B0} - System32\Tasks\COMODO\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-09] (COMODO)
Task: {3278CC75-2A4F-42E5-9E45-0B23993A37FC} - System32\Tasks\PCCT - MAGIX AG => C:\Program Files (x86)\MAGIX\PC_Check_Tuning_Free_2011\MxTray.exe [2010-11-08] ()
Task: {435F4013-DAB5-42A2-8608-FE980F293497} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {4A6BB261-2823-48D6-B5FF-3605A1B5D549} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-2764848105-337601815-2700051401-1000Core => C:\Users\Tobias\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: {691C49CE-11A0-45E9-9C8C-E65A79D92283} - System32\Tasks\{4A09BFD2-B95A-4FE7-B0FB-2AAB11EC6532} => pcalua.exe -a C:\Users\Tobias\Downloads\eb-edit-install-1.4.exe -d C:\Users\Tobias\Downloads
Task: {6B755F87-F4C7-4626-8374-BD064460E943} - \BrowserProtect No Task File <==== ATTENTION
Task: {6EC5EE04-6804-4582-9F1B-F1D9319F54BF} - System32\Tasks\{2C2811EC-68D2-4790-A416-DCB51A70191C} => pcalua.exe -a "C:\Program Files\TeamSpeak 3 Client\plugins\ts3overlay\InstallHook.exe" -d "C:\Program Files\TeamSpeak 3 Client\plugins\ts3overlay\" -c ts3overlay_hook_win32.dll 10000
Task: {70CE8F9B-36A7-4EE3-AB38-59EED8E2D903} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2764848105-337601815-2700051401-1000UA => C:\Users\Tobias\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-21] (Google Inc.)
Task: {7E1D9860-FBE9-4579-95BC-8DC98D2CCBB2} - \YourFile DownloaderUpdate No Task File <==== ATTENTION
Task: {C6B6DD74-7D6C-4DD0-93D8-4DBEECDA58C8} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2764848105-337601815-2700051401-1000Core => C:\Users\Tobias\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-21] (Google Inc.)
Task: {CA52BB50-4FB5-409E-B7E4-46F3F176FCC1} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-2764848105-337601815-2700051401-1000UA => C:\Users\Tobias\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: {D16C173F-EEF5-4641-ACAD-F5D7A5DCAF4F} - System32\Tasks\COMODO\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-09] (COMODO)
Task: {D1C7621B-5C1D-4484-B24A-2BBB99883037} - System32\Tasks\COMODO\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-09] (COMODO)
Task: {FB26CFD0-7289-4703-9BBC-9DC6E4546010} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-21] (Adobe Systems Incorporated)
Task: {FE5EBA15-6BF4-4147-85F2-0417A7E0D17B} - System32\Tasks\Overwolf Updater Task => C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [2014-12-29] (Overwolf LTD)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2764848105-337601815-2700051401-1000Core.job => C:\Users\Tobias\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2764848105-337601815-2700051401-1000UA.job => C:\Users\Tobias\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2764848105-337601815-2700051401-1000Core.job => C:\Users\Tobias\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2764848105-337601815-2700051401-1000UA.job => C:\Users\Tobias\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\PCCT - MAGIX AG.job => C:\Program Files (x86)\MAGIX\PC_Check_Tuning_Free_2011\MxTray.exe

==================== Loaded Modules (whitelisted) =============

2012-08-21 00:38 - 2014-02-08 18:42 - 00117024 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2013-11-15 01:48 - 2013-11-15 01:48 - 01861968 _____ () C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
2011-12-19 17:59 - 2013-04-15 18:39 - 00073424 _____ () C:\Program Files\COMODO\COMODO Internet Security\scanners\smart.cav
2015-01-07 18:16 - 2015-01-07 18:16 - 00050477 _____ () C:\Users\Tobias\Desktop\Defogger.exe
2014-01-20 13:17 - 2014-01-20 13:17 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 12:05 - 2014-10-11 12:05 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2013-09-14 01:51 - 2013-09-14 01:51 - 00087952 _____ () C:\Program Files (x86)\Common Files\Apple\Internet Services\zlib1.dll
2013-09-14 01:50 - 2013-09-14 01:50 - 01242952 _____ () C:\Program Files (x86)\Common Files\Apple\Internet Services\libxml2.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00750080 _____ () C:\Users\Tobias\AppData\Roaming\Dropbox\bin\libGLESv2.dll
2015-01-08 15:39 - 2015-01-08 15:39 - 00043008 _____ () c:\users\tobias\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpzydbqv.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00047616 _____ () C:\Users\Tobias\AppData\Roaming\Dropbox\bin\libEGL.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00863744 _____ () C:\Users\Tobias\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00200704 _____ () C:\Users\Tobias\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll
2014-08-26 15:47 - 2014-08-26 15:47 - 00436576 _____ () C:\Program Files (x86)\Evernote\Evernote\libxml2.dll
2014-08-26 15:47 - 2014-08-26 15:47 - 00318304 _____ () C:\Program Files (x86)\Evernote\Evernote\libtidy.dll
2012-08-10 15:51 - 2012-08-10 15:51 - 00985088 _____ () C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll
2013-11-15 01:49 - 2013-11-15 01:49 - 00100688 _____ () C:\Program Files (x86)\DivX\DivX Update\DivXUpdateCheck.dll
2015-01-08 15:10 - 2015-01-08 15:10 - 01498112 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll
2015-01-08 15:10 - 2015-01-08 15:10 - 00137728 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
2014-12-11 00:56 - 2014-12-11 00:57 - 03758192 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Windows\system32\ieUnatt.exe:$CmdTcID
AlternateDataStreams: C:\Windows\SysWOW64\FlashPlayerApp.exe:$CmdTcID
AlternateDataStreams: C:\Windows\SysWOW64\ieUnatt.exe:$CmdTcID
AlternateDataStreams: C:\Windows\system32\Drivers\mbam.sys:$CmdTcID
AlternateDataStreams: C:\Windows\system32\Drivers\mbamchameleon.sys:$CmdTcID
AlternateDataStreams: C:\Windows\system32\Drivers\mwac.sys:$CmdTcID
AlternateDataStreams: C:\ProgramData\TEMP:05EE1EEF
AlternateDataStreams: C:\Users\Tobias\Desktop\3+-+Kognitive+Aktivierung.pdf:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Desktop\Alpines - Cocoon - from YouTube.mp3:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Desktop\Chairlift - Amanaemonesia - from YouTube.mp3:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Desktop\Chairlift - Bruises - from YouTube.mp3:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Desktop\Defogger.exe:$CmdTcID
AlternateDataStreams: C:\Users\Tobias\Desktop\Defogger.exe:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Desktop\FRST64.exe:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Desktop\Grimes - Vanessa (Official Video) - from YouTube.mp3:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Desktop\Logarithmusaufgaben 1.pdf:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Desktop\Logarithmusaufgaben mit Lösungen.PDF:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Desktop\o5lw8g6g.exe:$CmdTcID
AlternateDataStreams: C:\Users\Tobias\Desktop\o5lw8g6g.exe:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\Aufgaben_und_Loesungen_zu_Logarithmen.pdf:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\Charakter_N'Tser Hreshzar Lodokain (1).pdf:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\Charakter_N'Tser Hreshzar Lodokain.pdf:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\DieWinterkoenigin-Spielerleitfaden_80ff (1).pdf:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\DS-Battlefield.jpg:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\Falkengrunds_letzte_Hoffnung_f2d3.pdf:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\GS-Blob.jpg:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\GS_Schlangenmensch.jpg:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\GT_Klosterkarte.jpg:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\Kies_3.2.14113_3.exe:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\setup_pc_check_tuning.exe:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\Spielleiterinformationen_Finstermond_Module_als_Kampagne_00f6.pdf:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\TunesGoforAndroid.exe:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\Tunngle_Setup_v5.0 (1).exe:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\Tunngle_Setup_v5.0.exe:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\Versuch-21.odt:$CmdZnID
AlternateDataStreams: C:\Users\Tobias\Downloads\[kickass.so]d.d.5e.player.s.handbook.monster.manual.adventure.lost.mine.of.phandelver.torrent:$CmdZnID

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Hamachi2Svc => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: BlueStacks Agent => C:\Program Files (x86)\BlueStacks\HD-Agent.exe
MSCONFIG\startupreg: DAEMON Tools Ultra Agent => "C:\Program Files (x86)\DAEMON Tools Ultra\DTAgent.exe" -autorun
MSCONFIG\startupreg: Hoolapp Android => "C:\Users\Tobias\AppData\Roaming\HOOLAP~1\Hoolapp.exe" /Minimized
MSCONFIG\startupreg: LogMeIn Hamachi Ui => "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
MSCONFIG\startupreg: Overwolf => C:\Program Files (x86)\Overwolf\Overwolf.exe -silent
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: VirtualCloneDrive => "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
MSCONFIG\startupreg: Zune Launcher => "C:\Program Files\Zune\ZuneLauncher.exe"

========================= Accounts: ==========================

Administrator (S-1-5-21-2764848105-337601815-2700051401-500 - Administrator - Disabled)
Gast (S-1-5-21-2764848105-337601815-2700051401-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2764848105-337601815-2700051401-1014 - Limited - Enabled)
Tobias (S-1-5-21-2764848105-337601815-2700051401-1000 - Administrator - Enabled) => C:\Users\Tobias

==================== Faulty Device Manager Devices =============

Name: Hamachi Network Interface
Description: Hamachi Network Interface
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: LogMeIn, Inc.
Service: hamachi
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Schwertwal
Description: SM-G800F
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Samsung Electronics Co., Ltd.
Service: WUDFRd
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/08/2015 03:42:10 PM) (Source: BstHdAndroidSvc) (EventID: 0) (User: )
Description: Der Dienst kann nicht gestartet werden. System.ApplicationException: Cannot start service.  Service did not stop gracefully the last time it was run.
   bei BlueStacks.hyperDroid.Service.Service.OnStart(String[] args)
   bei System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error: (01/08/2015 03:22:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: TunesGo.exe, Version: 5.0.0.35, Zeitstempel: 0x5476a00f
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00000000
ID des fehlerhaften Prozesses: 0x1f28
Startzeit der fehlerhaften Anwendung: 0xTunesGo.exe0
Pfad der fehlerhaften Anwendung: TunesGo.exe1
Pfad des fehlerhaften Moduls: TunesGo.exe2
Berichtskennung: TunesGo.exe3

Error: (01/08/2015 02:20:09 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm o5lw8g6g.exe, Version 2.1.19357.0 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: 494

Startzeit: 01d02b4577f3534f

Endzeit: 0

Anwendungspfad: C:\Users\Tobias\Desktop\o5lw8g6g.exe

Berichts-ID: 0cd4762e-9739-11e4-9b4a-a3f4e866ae11

Error: (01/08/2015 02:14:22 PM) (Source: BstHdAndroidSvc) (EventID: 0) (User: )
Description: Der Dienst kann nicht gestartet werden. System.ApplicationException: Cannot start service.  Service did not stop gracefully the last time it was run.
   bei BlueStacks.hyperDroid.Service.Service.OnStart(String[] args)
   bei System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error: (01/08/2015 00:39:27 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (01/07/2015 06:40:57 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (01/07/2015 06:40:57 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (01/07/2015 06:35:25 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.6161"1". Fehler in Manifest- oder Richtliniendatei "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.6161"2" in Zeile  Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.6161"3.
Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein.
Verweis: Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.6161".
Definition: Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.1".
Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose.

Error: (01/07/2015 06:35:25 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.6161"1". Fehler in Manifest- oder Richtliniendatei "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.6161"2" in Zeile  Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.6161"3.
Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein.
Verweis: Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.6161".
Definition: Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.1".
Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose.

Error: (01/07/2015 06:30:31 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".


System errors:
=============
Error: (01/08/2015 03:44:36 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Der Dienst "Peernetzwerk-Gruppenzuordnung" ist vom Dienst "Peer Name Resolution-Protokoll" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: 
%%1058

Error: (01/08/2015 03:44:36 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Der Dienst "Peernetzwerk-Gruppenzuordnung" ist vom Dienst "Peer Name Resolution-Protokoll" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: 
%%1058

Error: (01/08/2015 03:44:27 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Der Dienst "Peernetzwerk-Gruppenzuordnung" ist vom Dienst "Peer Name Resolution-Protokoll" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: 
%%1058

Error: (01/08/2015 03:42:10 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "BlueStacks Android Service" wurde mit folgendem Fehler beendet: 
%%1064

Error: (01/08/2015 03:40:15 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: Der Dienst "BlueStacks Android Service" wurde nicht richtig gestartet.

Error: (01/08/2015 03:38:55 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "LogMeIn Hamachi Tunneling Engine" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%1053

Error: (01/08/2015 03:38:55 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst LogMeIn Hamachi Tunneling Engine erreicht.

Error: (01/08/2015 03:37:05 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Der Dienst "Peernetzwerk-Gruppenzuordnung" ist vom Dienst "Peer Name Resolution-Protokoll" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: 
%%1058

Error: (01/08/2015 02:42:43 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Der Dienst "Peernetzwerk-Gruppenzuordnung" ist vom Dienst "Peer Name Resolution-Protokoll" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: 
%%1058

Error: (01/08/2015 02:42:43 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Der Dienst "Peernetzwerk-Gruppenzuordnung" ist vom Dienst "Peer Name Resolution-Protokoll" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: 
%%1058


Microsoft Office Sessions:
=========================
Error: (01/08/2015 03:42:10 PM) (Source: BstHdAndroidSvc) (EventID: 0) (User: )
Description: Der Dienst kann nicht gestartet werden. System.ApplicationException: Cannot start service.  Service did not stop gracefully the last time it was run.
   bei BlueStacks.hyperDroid.Service.Service.OnStart(String[] args)
   bei System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error: (01/08/2015 03:22:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: TunesGo.exe5.0.0.355476a00funknown0.0.0.000000000c0000005000000001f2801d02b4cd170b448C:\Program Files (x86)\Wondershare\TunesGo\TunesGo.exeunknownbe4344a3-9741-11e4-9b4a-001d7da6420f

Error: (01/08/2015 02:20:09 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: o5lw8g6g.exe2.1.19357.049401d02b4577f3534f0C:\Users\Tobias\Desktop\o5lw8g6g.exe0cd4762e-9739-11e4-9b4a-a3f4e866ae11

Error: (01/08/2015 02:14:22 PM) (Source: BstHdAndroidSvc) (EventID: 0) (User: )
Description: Der Dienst kann nicht gestartet werden. System.ApplicationException: Cannot start service.  Service did not stop gracefully the last time it was run.
   bei BlueStacks.hyperDroid.Service.Service.OnStart(String[] args)
   bei System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error: (01/08/2015 00:39:27 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Program Files (x86)\OpenOffice.org 3\program\swriter.exe

Error: (01/07/2015 06:40:57 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Program Files (x86)\OpenOffice.org 3\program\scd.dll

Error: (01/07/2015 06:40:57 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Program Files (x86)\OpenOffice.org 3\program\scd.dll

Error: (01/07/2015 06:35:25 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.6161"Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.1"C:\Users\Tobias\AppData\Roaming\Dropbox\bin\DropboxExt.24.dllC:\Users\Tobias\AppData\Roaming\Dropbox\bin\Microsoft.VC90.CRT\Microsoft.VC90.CRT.MANIFEST4

Error: (01/07/2015 06:35:25 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.6161"Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.1"C:\Users\Tobias\AppData\Roaming\Dropbox\bin\DropboxExt.24.dllC:\Users\Tobias\AppData\Roaming\Dropbox\bin\Microsoft.VC90.CRT\Microsoft.VC90.CRT.MANIFEST4

Error: (01/07/2015 06:30:31 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Program Files (x86)\OpenOffice.org 3\program\scd.dll


==================== Memory info =========================== 

Processor: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz
Percentage of memory in use: 37%
Total physical RAM: 6142.49 MB
Available physical RAM: 3846.2 MB
Total Pagefile: 12283.16 MB
Available Pagefile: 9658.24 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:596.07 GB) (Free:147.86 GB) NTFS
Drive d: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: () (Fixed) (Total:465.75 GB) (Free:37.81 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (NAS-SERVER) (CDROM) (Total:0.24 GB) (Free:0 GB) CDFS
Drive h: (CIV4) (CDROM) (Total:3.11 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596.2 GB) (Disk ID: 7E967411)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=596.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 115D115D)
Partition 1: (Active) - (Size=465.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Wilfried49 · 08.01.2015, 18:04

Code:

ATTFilter

GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-01-08 14:42:08
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 WDC_WD6401AALS-00E3A0 rev.05.01D05 596,17GB
Running: o5lw8g6g.exe; Driver: C:\Users\Tobias\AppData\Local\Temp\uwdiipod.sys


---- User code sections - GMER 2.1 ----

.text    C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                                                                     0000000076eb1360 8 bytes JMP 000000016fff00d8
.text    C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                                                                                   0000000076eb1560 8 bytes JMP 000000016fff0110
.text    C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                                  0000000076eb1b00 8 bytes JMP 000000016fff0148
.text    C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                                                                     0000000076eb1360 8 bytes JMP 000000016fff00d8
.text    C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                                                                                   0000000076eb1560 8 bytes JMP 000000016fff0110
.text    C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                                  0000000076eb1b00 8 bytes JMP 000000016fff0148
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes CALL 9000027
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes [FF, 25, 70, AC, 1B]
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                                                                                                                  000007fefebd3e80 6 bytes {JMP QWORD [RIP+0x10c1b0]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\SspiCli.dll!EncryptMessage                                                                                                                                                                        000007fefca250a0 6 bytes {JMP QWORD [RIP+0x9af90]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!RegisterRawInputDevices                                                                                                                                                                0000000076d66ef0 6 bytes {JMP QWORD [RIP+0x9639140]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SystemParametersInfoA                                                                                                                                                                  0000000076d68184 6 bytes {JMP QWORD [RIP+0x9717eac]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SetParent                                                                                                                                                                              0000000076d68530 6 bytes {JMP QWORD [RIP+0x9657b00]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SetWindowLongA                                                                                                                                                                         0000000076d69bcc 6 bytes {JMP QWORD [RIP+0x93b6464]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                                                                                           0000000076d6a404 6 bytes {JMP QWORD [RIP+0x93f5c2c]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!EnableWindow                                                                                                                                                                           0000000076d6aaa0 6 bytes {JMP QWORD [RIP+0x9755590]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!MoveWindow                                                                                                                                                                             0000000076d6aad0 6 bytes {JMP QWORD [RIP+0x9675560]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!GetAsyncKeyState                                                                                                                                                                       0000000076d6c720 6 bytes {JMP QWORD [RIP+0x9613910]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!RegisterHotKey                                                                                                                                                                         0000000076d6cd50 6 bytes {JMP QWORD [RIP+0x96f32e0]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!PostThreadMessageA                                                                                                                                                                     0000000076d6d2b0 6 bytes {JMP QWORD [RIP+0x9432d80]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                                                                                           0000000076d6d338 6 bytes {JMP QWORD [RIP+0x9472cf8]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SendNotifyMessageW                                                                                                                                                                     0000000076d6dc40 6 bytes {JMP QWORD [RIP+0x95523f0]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SystemParametersInfoW                                                                                                                                                                  0000000076d6f510 6 bytes {JMP QWORD [RIP+0x9730b20]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                                                                                                                                      0000000076d6f874 6 bytes {JMP QWORD [RIP+0x93707bc]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SendMessageTimeoutW                                                                                                                                                                    0000000076d6fac0 6 bytes {JMP QWORD [RIP+0x94d0570]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!PostThreadMessageW                                                                                                                                                                     0000000076d70b74 6 bytes {JMP QWORD [RIP+0x944f4bc]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SetWindowLongW                                                                                                                                                                         0000000076d733b0 6 bytes {JMP QWORD [RIP+0x93ccc80]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SetWinEventHook + 1                                                                                                                                                                    0000000076d74d4d 5 bytes {JMP QWORD [RIP+0x938b2e4]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!GetKeyState                                                                                                                                                                            0000000076d75010 6 bytes {JMP QWORD [RIP+0x95eb020]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SendMessageCallbackW                                                                                                                                                                   0000000076d75438 6 bytes {JMP QWORD [RIP+0x950abf8]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                                                                                           0000000076d76b50 6 bytes {JMP QWORD [RIP+0x94894e0]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                                                                                           0000000076d776e4 6 bytes {JMP QWORD [RIP+0x940894c]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SendDlgItemMessageW                                                                                                                                                                    0000000076d7dd90 6 bytes {JMP QWORD [RIP+0x95822a0]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!GetClipboardData                                                                                                                                                                       0000000076d7e874 6 bytes {JMP QWORD [RIP+0x96c17bc]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SetClipboardViewer                                                                                                                                                                     0000000076d7f780 6 bytes {JMP QWORD [RIP+0x96808b0]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SendNotifyMessageA                                                                                                                                                                     0000000076d828e4 6 bytes {JMP QWORD [RIP+0x951d74c]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!mouse_event                                                                                                                                                                            0000000076d83894 6 bytes {JMP QWORD [RIP+0x931c79c]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!GetKeyboardState                                                                                                                                                                       0000000076d88a10 6 bytes {JMP QWORD [RIP+0x95b7620]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SendMessageTimeoutA                                                                                                                                                                    0000000076d88be0 6 bytes {JMP QWORD [RIP+0x9497450]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                                                                                                                                                      0000000076d88c20 6 bytes {JMP QWORD [RIP+0x9337410]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SendInput                                                                                                                                                                              0000000076d88cd0 6 bytes {JMP QWORD [RIP+0x9597360]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!BlockInput                                                                                                                                                                             0000000076d8ad60 6 bytes {JMP QWORD [RIP+0x96952d0]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!ExitWindowsEx                                                                                                                                                                          0000000076db14e0 6 bytes {JMP QWORD [RIP+0x972eb50]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!keybd_event                                                                                                                                                                            0000000076dd45a4 6 bytes {JMP QWORD [RIP+0x92aba8c]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SendDlgItemMessageA                                                                                                                                                                    0000000076ddcc08 6 bytes {JMP QWORD [RIP+0x9503428]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\USER32.dll!SendMessageCallbackA                                                                                                                                                                   0000000076dddf18 6 bytes {JMP QWORD [RIP+0x9482118]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes JMP 0
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes JMP 0
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\services.exe[656] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                               0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                    0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                    0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                         0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                                 0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                              0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                    0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                              0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                            0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                             0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                          0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                               0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                          0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                           0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                                  0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                              0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                          0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                             0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                               0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                          0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                                 0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                           0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                               0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                      0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                     0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                           0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                       0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                                  0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                                  000007fefcf69055 3 bytes CALL 9000027
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                          000007fefcf753c0 5 bytes [FF, 25, 70, AC, 1B]
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                   000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                     000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                    000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                                  000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                                  000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                   000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                                 000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                     000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\lsass.exe[692] C:\Windows\system32\SspiCli.dll!EncryptMessage                                                                                                                                                                           0000000000d350a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                                 0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                      0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                      0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                           0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                                   0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                                0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                      0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                                0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                              0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                               0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                            0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                                 0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                            0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                             0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                                    0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                                0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                            0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                               0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                                 0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                            0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                                   0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                             0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                                 0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                        0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                       0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                             0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                         0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                                    0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                                    000007fefcf69055 3 bytes CALL 9000027
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                            000007fefcf753c0 5 bytes [FF, 25, 70, AC, 1B]
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                     000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                       000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                      000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                                    000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                                    000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                     000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                                   000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                       000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\lsm.exe[700] C:\Windows\system32\SSPICLI.DLL!EncryptMessage                                                                                                                                                                             0000000000fd50a0 6 bytes {JMP QWORD [RIP+0x17af90]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                             0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                  0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                  0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                       0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                               0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                            0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                  0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                            0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                          0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                           0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                        0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                             0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                        0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                         0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                                0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                            0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                        0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                           0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                             0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                        0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                               0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                         0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                             0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                    0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                   0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                         0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                     0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                                0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                                000007fefcf69055 3 bytes CALL 9000027
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                        000007fefcf753c0 5 bytes [FF, 25, 70, AC, 1B]
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                                                                                                                   000007fefebd3e80 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                 000007feff1022cc 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                   000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                  000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                                000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                                000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                 000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                               000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                   000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\svchost.exe[852] c:\windows\system32\SspiCli.dll!EncryptMessage                                                                                                                                                                         00000000011d50a0 6 bytes JMP 0
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                              0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                   0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                   0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                        0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                                0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                             0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                   0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                             0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                           0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                            0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                         0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                              0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                         0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                          0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                                 0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                             0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                         0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                            0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                              0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                         0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                                0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                          0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                              0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                     0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                    0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                          0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                      0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                                 0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                                 000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                         000007fefcf753c0 5 bytes [FF, 25, 70, AC, 29]
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                  000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                    000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                   000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                                 000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                                 000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                  000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                                000007feff10b9f8 6 bytes JMP 2ba7
.text    C:\Windows\system32\nvvsvc.exe[912] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                    000007feff10c8e0 6 bytes JMP 406
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                              000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                          000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                              000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                          000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                   000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                               000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                           000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                       000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                        000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                    000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                              000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                          000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                        000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                    000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                      000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                  000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                       0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                   0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                    0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                         00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                     00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                    00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                     00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                 00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                            0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                        0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                        0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                    0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                    00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                       000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                   00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                         00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                     00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                    0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                           000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                       0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                     00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                 00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                         0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                     0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                            0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                               0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                           0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                     0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                 0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                 0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                             0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                         0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                            0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                        0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                    000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                            0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                     0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                             00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                               00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                            00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                           00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                              00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                             00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                            00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                               0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                      0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                  0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                               0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                        0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                 0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                     0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                      0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                  0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                        0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                         0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                           0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                       0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                        0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                          0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                      0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                        0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                  0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                      0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                        0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                               0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                   0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                  0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                 0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                   0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                  0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                              0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                 0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                 0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                    0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                    0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                           0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                       0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                    0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                       0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                         0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                         0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                  0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                          0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                      0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                             0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                         0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                            0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                           0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                             0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                  0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                  0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                       0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                               0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                            0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                  0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                            0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                          0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread

Wilfried49 · 08.01.2015, 18:06

Code:

ATTFilter

                                                                                                                                                                         0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                        0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                             0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                        0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                         0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                                0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                            0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                        0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                           0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                             0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                        0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                               0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                         0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                             0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                    0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                   0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                         0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                     0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                                0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                                000007fefcf69055 3 bytes CALL 9000027
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                        000007fefcf753c0 5 bytes JMP 193c90
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                                                                                                                   000007fefebd3e80 6 bytes {JMP QWORD [RIP+0x10c1b0]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                 000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                   000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                  000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                                000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                                000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                 000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                               000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                   000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\svchost.exe[980] C:\Windows\system32\SSPICLI.DLL!EncryptMessage                                                                                                                                                                         00000000011550a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                                                                                    0000000076eb1430 8 bytes JMP 000000016fff00d8
.text    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                               0000000076eb1800 8 bytes JMP 000000016fff0110
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes CALL 9000027
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes [FF, 25, 70, AC, 1B]
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\System32\svchost.exe[1028] C:\Windows\System32\SSPICLI.DLL!EncryptMessage                                                                                                                                                                        00000000012150a0 6 bytes {JMP QWORD [RIP+0x69af90]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes JMP 0
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes JMP 0
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes CALL 9000027
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes [FF, 25, 70, AC, 1B]
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes JMP 0
.text    C:\Windows\System32\svchost.exe[1060] C:\Windows\System32\SspiCli.dll!EncryptMessage                                                                                                                                                                        00000000012a50a0 6 bytes {JMP QWORD [RIP+0x18af90]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes JMP 139da0
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1088] C:\Windows\system32\SSPICLI.DLL!EncryptMessage                                                                                                                                                                        00000000011950a0 6 bytes {JMP QWORD [RIP+0x8af90]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes [FF, 25, 70, AC, 1B]
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                                                                                                                  000007fefebd3e80 6 bytes {JMP QWORD [RIP+0x10c1b0]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\SSPICLI.DLL!EncryptMessage                                                                                                                                                                        00000000011550a0 6 bytes {JMP QWORD [RIP+0xfaf90]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\System32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes [FF, 25, 70, AC, 29]
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\System32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes JMP 0
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\System32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes JMP 0
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\System32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\System32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes JMP 0
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\System32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes JMP 0
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\System32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes JMP 0
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\System32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes JMP 0
.text    C:\Windows\system32\AUDIODG.EXE[1180] C:\Windows\System32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes CALL 0
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes [FF, 25, 70, AC, 1B]
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes JMP 63006f
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\SspiCli.dll!EncryptMessage                                                                                                                                                                        00000000013850a0 6 bytes JMP 0
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                   0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                        0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                        0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                             0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                     0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                  0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                        0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                  0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                 0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                              0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                   0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                              0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                               0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                      0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                  0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                              0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                 0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                   0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                              0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                     0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                               0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                   0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                          0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                         0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                               0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                           0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                      0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                      000007fefcf69055 3 bytes CALL 9000027
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                              000007fefcf753c0 5 bytes [FF, 25, 70, AC, 29]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                       000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                         000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                        000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                      000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                      000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                       000007feff109344 6 bytes JMP 0
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                     000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                         000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\SspiCli.dll!EncryptMessage                                                                                                                                               0000000000fc50a0 6 bytes {JMP QWORD [RIP+0x73af90]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                             0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                  0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                  0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                       0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                               0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                            0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                  0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                            0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                          0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                           0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                        0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                             0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                        0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                         0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                                0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                            0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                        0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                           0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                             0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                        0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                               0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                         0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                             0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                    0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                   0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                         0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                     0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                                0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                        000007fefcf753c0 5 bytes [FF, 25, 70, AC, 29]
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                 000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                   000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                  000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                                000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                                000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                 000007feff109344 6 bytes JMP 0
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                               000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                   000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\SspiCli.dll!EncryptMessage                                                                                                                                                                         00000000012a50a0 6 bytes {JMP QWORD [RIP+0xe9af90]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes CALL 9000027
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters

Wilfried49 · 08.01.2015, 18:07

Code:

ATTFilter

                                                                         000007fefcf753c0 5 bytes JMP 0
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes JMP 0
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes JMP 0
.text    C:\Windows\System32\spoolsv.exe[1428] C:\Windows\System32\SSPICLI.DLL!EncryptMessage                                                                                                                                                                        00000000025450a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes JMP 27
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                                                                                                                  000007fefebd3e80 6 bytes {JMP QWORD [RIP+0x10c1b0]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\SspiCli.dll!EncryptMessage                                                                                                                                                                        00000000011f50a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                    000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                                000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                    000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                                000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                         000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                     000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                 000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                             000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                              000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                          000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                    000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                                000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                              000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                          000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                            000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                        000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                             0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                         0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                          0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                      0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                               00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                           00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                          00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                      00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                           00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                       00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                  0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                              0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                              0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                          0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                          00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                      00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                             000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                         00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                               00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                           00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                          0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                      0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                 000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                             0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                           00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                       00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                               0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                           0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                      0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                  0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                     0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                                 0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                           0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                       0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                       0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                   0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                               0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                  0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                              0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                          000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                  0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                            0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                        0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                     0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                              0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                       0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                           0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                            0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                        0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                              0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                               0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                                 0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                             0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                              0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                                0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                            0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                              0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                        0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                            0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                              0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                     0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                         0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                        0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                      0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                       0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                         0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                        0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                    0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                       0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                       0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                          0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                          0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                      0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                 0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                             0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                          0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                             0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                               0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                               0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                      0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                        0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                                0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                            0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                   0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                               0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                   00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                     00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                  00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                                 00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                    00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                   00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                  00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                     0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                           0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                  0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                 0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                    000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                    000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                         000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                     000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                 000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                             000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                              000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                          000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                    000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                              000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                          000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                            000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                        000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                             0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                         0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                          0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                      0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                               00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                           00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                          00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                      00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                           00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                       00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                  0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                              0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                              0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                          0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                          00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                      00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                             000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                         00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                               00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                           00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                          0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                      0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                 000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                             0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                           00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                       00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                               0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                           0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                      0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                  0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                     0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                 0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                           0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                       0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                       0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                   0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                               0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                  0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                              0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                          000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                  0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                           0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                   00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                     00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                  00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                 00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                    00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                   00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                  00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                     0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                            0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                        0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                     0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                              0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                       0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                           0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                            0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                        0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                              0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                               0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                 0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                             0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                              0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                            0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                              0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                        0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                            0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                              0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                     0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                         0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                        0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                      0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                       0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                         0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                        0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                    0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                       0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                       0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                          0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                          0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                      0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                 0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                             0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                          0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                             0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                               0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                               0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                      0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                        0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                            0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                   0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                               0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                  0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                 0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                                0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                     0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                     0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                          0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                                  0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                               0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                     0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                               0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                             0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                              0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                           0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                                0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                           0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                            0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                                   0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                               0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                           0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                              0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                                0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                           0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                                  0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                            0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                                0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                       0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                      0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                            0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                        0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                                   0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                                   000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                           000007fefcf753c0 5 bytes [FF, 25, 70, AC, 1B]
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                    000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                      000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                     000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                                   000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                                   000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                    000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                                  000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\Dwm.exe[1752] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                      000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                                    0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                         0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                         0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                              0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                                      0000000076eb15e0 6 bytes JMP 0
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                                   0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                         0000000076eb16c0 6 bytes JMP b672e86a
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                                   0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                                 0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                                  0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                               0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                                    0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                               0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                                0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                                       0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                                   0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                               0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                                  0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                                    0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                               0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                                      0000000076eb1d20 6 bytes JMP 0
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                                0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                                    0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                           0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                          0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                                0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                            0000000076eb2aa0 6 bytes JMP 0
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                                       0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                                       000007fefcf69055 3 bytes CALL 0
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                               000007fefcf753c0 6 bytes {JMP QWORD [RIP+0x131ac70]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                        000007feff1022cc 6 bytes JMP 630069
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                          000007feff1024c0 6 bytes JMP 0
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                         000007feff105bf0 6 bytes JMP 2d0046
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                                       000007feff108398 6 bytes JMP 430046
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                                       000007feff1089d8 6 bytes JMP 97610
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                        000007feff109344 6 bytes JMP 0
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                                      000007feff10b9f8 6 bytes JMP 25dc
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                          000007feff10c8e0 6 bytes JMP 690044
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!RegisterRawInputDevices                                                                                                                                                                        0000000076d66ef0 6 bytes {JMP QWORD [RIP+0x9639140]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SystemParametersInfoA                                                                                                                                                                          0000000076d68184 6 bytes {JMP QWORD [RIP+0x9717eac]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SetParent                                                                                                                                                                                      0000000076d68530 6 bytes {JMP QWORD [RIP+0x9657b00]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SetWindowLongA                                                                                                                                                                                 0000000076d69bcc 6 bytes {JMP QWORD [RIP+0x93b6464]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                                                                                                   0000000076d6a404 6 bytes {JMP QWORD [RIP+0x93f5c2c]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!EnableWindow

Wilfried49 · 08.01.2015, 18:09

Code:

ATTFilter

                                                                                                                                                          0000000076d6aaa0 6 bytes {JMP QWORD [RIP+0x9755590]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!MoveWindow                                                                                                                                                                                     0000000076d6aad0 6 bytes {JMP QWORD [RIP+0x9675560]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!GetAsyncKeyState                                                                                                                                                                               0000000076d6c720 6 bytes {JMP QWORD [RIP+0x9613910]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!RegisterHotKey                                                                                                                                                                                 0000000076d6cd50 6 bytes {JMP QWORD [RIP+0x96f32e0]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!PostThreadMessageA                                                                                                                                                                             0000000076d6d2b0 6 bytes {JMP QWORD [RIP+0x9432d80]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                                                                                                   0000000076d6d338 6 bytes {JMP QWORD [RIP+0x9472cf8]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SendNotifyMessageW                                                                                                                                                                             0000000076d6dc40 6 bytes {JMP QWORD [RIP+0x95523f0]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SystemParametersInfoW                                                                                                                                                                          0000000076d6f510 6 bytes {JMP QWORD [RIP+0x9730b20]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                                                                                                                                              0000000076d6f874 6 bytes {JMP QWORD [RIP+0x93707bc]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SendMessageTimeoutW                                                                                                                                                                            0000000076d6fac0 6 bytes {JMP QWORD [RIP+0x94d0570]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!PostThreadMessageW                                                                                                                                                                             0000000076d70b74 6 bytes {JMP QWORD [RIP+0x944f4bc]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SetWindowLongW                                                                                                                                                                                 0000000076d733b0 6 bytes {JMP QWORD [RIP+0x93ccc80]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SetWinEventHook + 1                                                                                                                                                                            0000000076d74d4d 5 bytes {JMP QWORD [RIP+0x938b2e4]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!GetKeyState                                                                                                                                                                                    0000000076d75010 6 bytes {JMP QWORD [RIP+0x95eb020]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SendMessageCallbackW                                                                                                                                                                           0000000076d75438 6 bytes {JMP QWORD [RIP+0x950abf8]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                                                                                                   0000000076d76b50 6 bytes {JMP QWORD [RIP+0x94894e0]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                                                                                                   0000000076d776e4 6 bytes {JMP QWORD [RIP+0x940894c]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SendDlgItemMessageW                                                                                                                                                                            0000000076d7dd90 6 bytes {JMP QWORD [RIP+0x95822a0]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!GetClipboardData                                                                                                                                                                               0000000076d7e874 6 bytes {JMP QWORD [RIP+0x96c17bc]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SetClipboardViewer                                                                                                                                                                             0000000076d7f780 6 bytes {JMP QWORD [RIP+0x96808b0]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SendNotifyMessageA                                                                                                                                                                             0000000076d828e4 6 bytes {JMP QWORD [RIP+0x951d74c]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!mouse_event                                                                                                                                                                                    0000000076d83894 6 bytes {JMP QWORD [RIP+0x931c79c]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!GetKeyboardState                                                                                                                                                                               0000000076d88a10 6 bytes {JMP QWORD [RIP+0x95b7620]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SendMessageTimeoutA                                                                                                                                                                            0000000076d88be0 6 bytes {JMP QWORD [RIP+0x9497450]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                                                                                                                                                              0000000076d88c20 6 bytes {JMP QWORD [RIP+0x9337410]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SendInput                                                                                                                                                                                      0000000076d88cd0 6 bytes {JMP QWORD [RIP+0x9597360]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!BlockInput                                                                                                                                                                                     0000000076d8ad60 6 bytes {JMP QWORD [RIP+0x96952d0]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!ExitWindowsEx                                                                                                                                                                                  0000000076db14e0 6 bytes {JMP QWORD [RIP+0x972eb50]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!keybd_event                                                                                                                                                                                    0000000076dd45a4 6 bytes {JMP QWORD [RIP+0x92aba8c]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SendDlgItemMessageA                                                                                                                                                                            0000000076ddcc08 6 bytes {JMP QWORD [RIP+0x9503428]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\USER32.dll!SendMessageCallbackA                                                                                                                                                                           0000000076dddf18 6 bytes {JMP QWORD [RIP+0x9482118]}
.text    C:\Windows\Explorer.EXE[1768] C:\Windows\system32\SSPICLI.DLL!EncryptMessage                                                                                                                                                                                000007fefca250a0 6 bytes JMP 5c0072
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                      000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                                  000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                      000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                                  000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                           000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                       000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                   000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                               000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                                000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                            000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                      000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                                  000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                                000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                            000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                              000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                          000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                               0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                           0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                            0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                        0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                 00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                             00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                            00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                        00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                             00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                         00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                    0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                                0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                                0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                            0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                            00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                        00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                               000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                           00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                                 00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                             00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                            0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                        0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                   000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                               0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                             00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                         00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                                 0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                             0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                        0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                    0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                       0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                                   0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                             0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                         0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                         0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                     0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                                 0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW                                                                                                                                    0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4                                                                                                                                0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                            000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                    0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                              0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                          0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                       0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                         0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                             0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                              0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                          0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                                 0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                                   0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                               0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                                0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                                  0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                              0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                          0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                              0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                       0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                           0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                          0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                        0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                         0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                           0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                          0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                      0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                         0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                         0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                            0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                            0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                        0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                   0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                               0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                            0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                               0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                 0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                 0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                        0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                          0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                                  0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                              0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                     0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                                 0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                     00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                       00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                    00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                                   00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                      00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                     00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                    00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                       0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                             0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                    0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[1816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                   0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                           0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                     0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                             0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                          0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                          0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                        0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                         0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                      0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                           0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                      0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                       0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                              0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                          0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                      0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                         0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                           0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                      0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                             0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                       0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                           0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                  0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                 0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                       0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                   0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                              0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                      000007fefcf753c0 5 bytes [FF, 25, 70, AC, 29]
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                               000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                 000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                              000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                              000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                               000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                             000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\taskhost.exe[1848] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                 000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                         000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                                     000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                         000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                                     000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                              000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                          000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                      000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                  000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                                   000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                               000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                         000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                                     000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                                   000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                               000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                                 000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                             000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                                  0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                              0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                               0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                           0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                    00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                                00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                               00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                           00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                                00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                            00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                       0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                                   0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                                   0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                               0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                               00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                           00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                                  000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                              00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                                    00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                                00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                               0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                           0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                      000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                                  0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                                00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                            00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                                    0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                                0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                           0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                       0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                          0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                                      0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                                0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                            0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                            0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                        0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                                    0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW                                                                                                                                       0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4                                                                                                                                   0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                               000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                       0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                                0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                        00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                          00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                       00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                                      00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                         00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                        00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                       00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                          0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                                 0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                             0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                          0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                   0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                            0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                                0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                                 0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                             0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                   0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                                    0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                                      0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                                  0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                                   0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                                     0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                                 0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                   0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                             0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                                 0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                   0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                          0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                              0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                             0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                           0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                            0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                              0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                             0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                         0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                            0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                            0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                               0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                               0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                           0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                      0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                  0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                               0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                                  0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                    0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                    0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                           0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                             0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                                     0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                                 0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                        0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                                    0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                       0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                      0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes [FF, 25, 70, AC, 29]
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes JMP 0
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes JMP 0
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes JMP 480041
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\taskeng.exe[1116] C:\Windows\system32\SspiCli.dll!EncryptMessage                                                                                                                                                                        00000000024850a0 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes [FF, 25, 70, AC, 1B]
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\system32\GDI32.dll!StretchBlt

Wilfried49 · 08.01.2015, 18:09

Code:

ATTFilter

                                               000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\svchost.exe[1904] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes [FF, 25, 70, AC, 29]
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes JMP 51716c11
.text    C:\Windows\system32\taskeng.exe[1564] C:\Windows\system32\SspiCli.dll!EncryptMessage                                                                                                                                                                        00000000024850a0 6 bytes {JMP QWORD [RIP+0xcaf90]}
.text    C:\Program Files (x86)\MAGIX\PC_Check_Tuning_Free_2011\MxTray.exe[1272] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                             0000000074fa3bbb 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\MAGIX\PC_Check_Tuning_Free_2011\MxTray.exe[1272] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                         0000000074fa3bbf 2 bytes [9B, 71]
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                       000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                   000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                       000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                   000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                            000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                        000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                    000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                 000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                             000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                       000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                   000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                 000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                             000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                               000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                           000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                            0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                             0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                         0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                  00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                              00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                             00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                         00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                              00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                          00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                     0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                 0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                 0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                             0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                             00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                         00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                            00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                  00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                              00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                             0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                         0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                    000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                              00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                          00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                  0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                              0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                         0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                     0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                        0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                    0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                              0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                          0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                          0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                      0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                  0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                     0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                 0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                             000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                     0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                               0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                           0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                        0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                 0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                          0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                              0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                               0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                           0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                 0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                  0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                    0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                 0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                   0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                               0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                 0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                           0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                               0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                 0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                        0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                            0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                           0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                         0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                          0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                            0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                           0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                       0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                          0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                          0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                             0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                             0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                         0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                    0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                             0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                  0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                  0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                         0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                           0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                   0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                               0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                      0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                  0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                      00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                        00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                     00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                    00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                       00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                      00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                     00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                        0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                              0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                     0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                    0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                               000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                       000007fefcf753c0 6 bytes {JMP QWORD [RIP+0x131ac70]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                  000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                              000007feff10b9f8 6 bytes JMP 0
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                  000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\SSPICLI.DLL!EncryptMessage                                                                                                                                        00000000019450a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                          000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                                      000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                          000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                                      000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                               000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                           000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                       000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                   000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                                    000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                                000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                          000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                                      000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                                    000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                                000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                                  000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                              000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                                   0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                               0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                                0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                            0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                     00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                                 00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                                00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                            00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                                 00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                             00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                        0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                                    0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                                    0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                                0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                                00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                            00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                                   000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                               00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                                     00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                                 00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                                0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                            0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                       000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                                   0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                                 00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                             00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                                     0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                                 0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                            0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                        0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                           0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                                       0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                                 0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                             0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                             0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                         0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                                     0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                        0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                    0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                        0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                                  0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                              0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                           0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                    0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                             0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                                 0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                                  0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                              0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                    0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                                     0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                                       0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                                   0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                                    0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                                      0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                                  0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                    0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                              0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                                  0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                    0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                           0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                               0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                              0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                            0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                             0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                               0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                              0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                          0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                             0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                             0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                                0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                                0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                            0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                       0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                   0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                                0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                                   0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                     0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                     0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                            0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                              0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                                      0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                                  0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                         0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                                     0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                         00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                           00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                        00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                                       00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                          00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                         00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                        00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                           0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                                 0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                        0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\PDF Architect\HelperService.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                       0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                      000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                                  000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                      000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                                  000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                           000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                       000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                   000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                               000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                                000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                            000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                      000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                                  000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                                000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                            000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                              000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                          000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                               0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                           0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                            0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                        0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                 00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                             00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                            00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                        00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                             00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                         00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                    0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                                0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                                0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                            0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                            00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                        00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                               000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                           00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                                 00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                             00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                            0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                        0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                   000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                               0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                             00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                         00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                                 0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                             0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                        0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                    0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                       0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4

Wilfried49 · 08.01.2015, 18:10

Code:

ATTFilter

                                                0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                             0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                         0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                         0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                     0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                                 0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                    0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                            000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                    0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                              0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                          0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                       0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                         0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                             0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                              0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                          0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                                 0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                                   0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                               0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                                0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                                  0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                              0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                          0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                              0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                       0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                           0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                          0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                        0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                         0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                           0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                          0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                      0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                         0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                         0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                            0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                            0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                        0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                   0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                               0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                            0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                               0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                 0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                 0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                        0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                          0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                                  0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                              0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                     0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                                 0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                     00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                       00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                    00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                                   00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                      00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                     00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                    00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                       0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                             0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                    0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\PDF Architect\ConversionService.exe[2408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                   0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe[2448] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                          0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe[2448] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                          000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe[2448] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                  000007fefcf753c0 5 bytes [FF, 25, 70, AC, 29]
.text    C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe[2448] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                           000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe[2448] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                             000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe[2448] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                            000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe[2448] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                          000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe[2448] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                          000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe[2448] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                           000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe[2448] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                         000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe[2448] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                             000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                               000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                       000007fefcf753c0 6 bytes {JMP QWORD [RIP+0x131ac70]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                  000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                              000007feff10b9f8 6 bytes JMP 1185
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                  000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2484] C:\Windows\system32\SspiCli.dll!EncryptMessage                                                                                                                                        00000000025d50a0 6 bytes {JMP QWORD [RIP+0x18af90]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes [FF, 25, 70, AC, 29]
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes JMP 0
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\conhost.exe[2492] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\svchost.exe[2516] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\svchost.exe[2516] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes CALL 9000027
.text    C:\Windows\system32\svchost.exe[2516] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes [FF, 25, 70, AC, 1B]
.text    C:\Windows\system32\svchost.exe[2516] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\svchost.exe[2516] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\svchost.exe[2516] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\svchost.exe[2516] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\svchost.exe[2516] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\svchost.exe[2516] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\svchost.exe[2516] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\svchost.exe[2516] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\svchost.exe[2516] C:\Windows\system32\SSPICLI.DLL!EncryptMessage                                                                                                                                                                        00000000012250a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                               000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                           000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                               000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                           000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                    000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                            000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                        000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                         000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                     000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                               000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                           000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                         000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                     000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                       000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                   000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                        0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                    0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                     0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                 0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                          00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                      00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                     00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                 00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                      00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                  00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                             0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                         0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                         0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                     0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                     00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                 00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                        000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                    00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                          00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                      00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                     0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                 0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                            000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                        0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                      00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                  00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                          0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                      0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                 0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                             0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                            0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                      0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                  0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                  0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                              0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                          0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                             0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                         0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                     000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                             0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                      0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                       0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                   0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                         0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                  0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                      0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                       0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                   0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                         0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                          0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                            0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                        0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                         0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                           0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                       0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                         0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                   0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                       0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                         0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                    0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                   0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                 0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                  0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                    0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                   0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                               0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                  0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                  0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                     0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                     0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                 0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                            0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                        0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                     0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                        0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                          0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                          0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                 0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                   0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                           0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                       0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                              0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                          0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                              00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                             00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                            00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                               00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                              00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                             00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                             0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                            0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                             000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                         000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                             000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                         000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                  000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                              000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                          000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                      000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                       000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                   000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                             000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                         000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                       000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                   000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                     000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                 000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                      0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                  0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                   0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                               0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                        00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                    00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                   00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                               00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                    00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                           0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                       0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                       0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                   0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                   00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                               00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                      000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                  00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                        00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                    00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                   0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                               0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                          000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                      0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                    00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                        0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                    0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                               0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                           0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                              0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                          0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                    0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                            0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                        0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                           0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                       0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                   000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                           0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                    0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                     0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                 0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                              0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                       0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                    0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                     0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                 0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                       0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                        0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                          0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                      0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                       0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                         0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                     0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                       0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                 0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                     0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                       0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                              0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                  0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                 0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                               0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                  0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                 0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                             0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                   0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                   0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                               0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                          0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                      0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                   0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                      0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                        0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                        0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                               0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                 0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                         0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                     0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                            0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                        0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                            00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                              00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                           00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                          00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                             00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                            00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                           00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                              0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                           0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155

Wilfried49 · 08.01.2015, 18:12

Code:

ATTFilter

                                                              0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                              0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                   0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                   0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                        0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                                0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                             0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                   0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                             0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                           0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                            0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                         0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                              0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                         0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                          0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                                 0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                             0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                         0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                            0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                              0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                         0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                                0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                          0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                              0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                     0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                    0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                          0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                      0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                                 0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                                 000007fefcf69055 3 bytes CALL 9000027
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                         000007fefcf753c0 5 bytes [FF, 25, 70, AC, 29]
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                  000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                    000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                   000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                                 000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                                 000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                  000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                                000007feff10b9f8 6 bytes JMP 0
.text    C:\Windows\system32\vssvc.exe[2672] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                    000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\System32\svchost.exe[2736] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\System32\svchost.exe[2736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes CALL 0
.text    C:\Windows\System32\svchost.exe[2736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes [FF, 25, 70, AC, 1B]
.text    C:\Windows\System32\svchost.exe[2736] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\System32\svchost.exe[2736] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\System32\svchost.exe[2736] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\System32\svchost.exe[2736] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\System32\svchost.exe[2736] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\System32\svchost.exe[2736] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\System32\svchost.exe[2736] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\System32\svchost.exe[2736] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes JMP 699
.text    C:\Windows\System32\svchost.exe[2736] C:\Windows\System32\SspiCli.dll!EncryptMessage                                                                                                                                                                        00000000011650a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                     0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                          0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                          0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                               0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                       0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                    0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                          0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                    0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                  0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                   0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                     0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                 0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                        0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                    0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                   0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                     0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                       0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                 0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                     0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                            0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                           0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                 0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                             0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                        0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                        000007fefcf69055 3 bytes CALL 9000027
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                000007fefcf753c0 6 bytes {JMP QWORD [RIP+0x131ac70]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                         000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                           000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                          000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                        000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                        000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                         000007feff109344 6 bytes JMP 0
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                       000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3000] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                           000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                             0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                  0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                  0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                       0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                               0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                            0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                  0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                            0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                          0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                           0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                        0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                             0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                        0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                         0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                                0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                            0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                        0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                           0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                             0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                        0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                               0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                         0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                             0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                    0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                   0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                         0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                     0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                                0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                                000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                        000007fefcf753c0 5 bytes [FF, 25, 70, AC, 29]
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                 000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                   000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                  000007feff105bf0 6 bytes JMP 0
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                                000007feff108398 6 bytes JMP 0
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                                000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                 000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                               000007feff10b9f8 6 bytes JMP 0
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                   000007feff10c8e0 6 bytes JMP 0
.text    C:\Windows\system32\taskeng.exe[620] C:\Windows\system32\SspiCli.dll!EncryptMessage                                                                                                                                                                         00000000011450a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                               000007fefcf69055 3 bytes CALL 9000027
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                       000007fefcf753c0 5 bytes [FF, 25, 70, AC, 1B]
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                                  000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                              000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\System32\rundll32.exe[880] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                                  000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                                                                                      0000000076eb1430 8 bytes JMP 000000016fff0110
.text    C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                 0000000076eb1800 8 bytes JMP 000000016fff00d8
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                        0000000076e83b10 6 bytes JMP 6104fd38 C:\Program Files\Logitech Gaming Software\QtXml4.dll
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                             0000000076eb13a0 6 bytes JMP 6104e888 C:\Program Files\Logitech Gaming Software\QtXml4.dll
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                             0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                  0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                          0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                       0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                             0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                       0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                     0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                      0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                   0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                        0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                   0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                    0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                           0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                       0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                   0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                      0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                        0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                   0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                          0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                    0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                        0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                               0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                              0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                    0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                           0000000076c5db80 6 bytes JMP 9411380
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                           000007fefcf69055 3 bytes CALL 9000027
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                   000007fefcf753c0 6 bytes {JMP QWORD [RIP+0x131ac70]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                            000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                              000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                             000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                           000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                           000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                            000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                          000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[3280] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                              000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                            0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                 0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                 0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                      0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                              0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                           0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                 0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                           0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                         0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                          0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                       0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                            0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                       0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                        0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                               0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                           0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                       0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                          0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                            0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                       0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                              0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                        0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                            0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                   0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                  0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                        0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                    0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                               0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                               000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                       000007fefcf753c0 6 bytes {JMP QWORD [RIP+0x131ac70]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                  000007feff1024c0 6 bytes JMP 0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                 000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                               000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                               000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                              000007feff10b9f8 6 bytes JMP 25dc
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3328] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                  000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                  000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                              000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                  000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                              000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                       000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                   000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                               000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                           000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                            000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                        000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                  000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                              000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                            000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                        000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                          000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                      000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                           0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                       0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                        0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                    0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                             00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                         00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                        00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                    00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                         00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                     00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                            0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                            0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                        0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                        00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                    00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                           000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                       00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                             00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                         00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                        0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                    0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                               000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                           0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                         00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                     00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                             0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                         0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                    0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                   0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                               0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                         0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                     0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                     0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                 0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                             0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                            0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                        000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                         0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                 00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                   00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                               00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                  00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                 00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                   0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                          0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                      0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                   0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                            0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                     0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                         0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                          0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                      0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                            0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                             0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                               0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                           0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                            0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                              0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                          0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                            0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                      0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                          0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                            0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                   0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                       0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                      0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                    0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                     0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                       0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                      0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                  0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                     0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                     0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                        0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                        0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                    0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                               0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                           0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                        0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                           0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                             0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                             0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                    0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                      0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                              0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                          0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                 0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                             0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                               0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                               000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                           000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                               000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                           000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                    000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                            000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                        000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                         000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                     000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                               000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                           000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                         000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                     000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                       000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                   000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                        0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                    0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                     0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                 0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                          00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                      00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                     00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                 00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                      00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4

Wilfried49 · 08.01.2015, 18:14

Code:

ATTFilter

                                                        00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                             0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                         0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                         0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                     0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                     00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                 00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                        000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                    00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                          00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                      00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                     0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                 0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                            000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                        0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                      00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                  00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                          0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                      0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                 0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                             0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                            0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                      0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                  0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                  0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                              0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                          0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                             0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                         0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                     000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                             0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                      0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                              00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                             00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                            00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                               00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                              00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                             00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                       0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                   0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                         0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                  0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                      0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                       0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                   0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                         0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                          0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                            0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                        0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                         0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                           0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                       0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                         0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                   0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                       0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                         0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                    0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                   0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                 0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                  0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                    0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                   0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                               0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                  0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                  0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                     0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                     0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                 0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                            0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                        0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                     0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                        0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                          0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                          0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                 0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                   0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                           0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                       0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                              0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                          0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                             0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                            0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                         000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                                     000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                         000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                                     000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                              000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                          000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                      000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                  000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                                   000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                               000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                         000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                                     000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                                   000000007705ff74 3 bytes JMP 7109000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                               000000007705ff78 2 bytes JMP 7109000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                                 000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                             000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                                  0000000077060004 3 bytes JMP 70fd000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                              0000000077060008 2 bytes JMP 70fd000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                               0000000077060084 3 bytes JMP 70fa000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                           0000000077060088 2 bytes JMP 70fa000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                    00000000770600b4 3 bytes JMP 70df000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                                00000000770600b8 2 bytes JMP 70df000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                               00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                           00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                                00000000770603d0 3 bytes JMP 710f000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                            00000000770603d4 2 bytes JMP 710f000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                       0000000077060550 3 bytes JMP 7112000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                                   0000000077060554 2 bytes JMP 7112000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                                   0000000077060694 3 bytes JMP 70ee000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                               0000000077060698 2 bytes JMP 70ee000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                               00000000770606f4 3 bytes JMP 7106000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                           00000000770606f8 2 bytes JMP 7106000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                                  000000007706079c 3 bytes JMP 710c000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                              00000000770607a0 2 bytes JMP 710c000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                                    00000000770607e4 3 bytes JMP 7100000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                                00000000770607e8 2 bytes JMP 7100000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                               0000000077060874 3 bytes JMP 7103000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                           0000000077060878 2 bytes JMP 7103000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                      000000007706088c 3 bytes JMP 70d6000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                                  0000000077060890 2 bytes JMP 70d6000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                                00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                            00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                                    0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                                0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                           0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                       0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                          0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                                      0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                                0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                            0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                            0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                        0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                                    0000000077081287 6 bytes JMP 71a8000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                       0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                   0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                               000000007578f784 6 bytes JMP 719f000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                       0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                                 0000000074a58332 6 bytes JMP 716c000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                             0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                          0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                   0000000074a59679 6 bytes JMP 715a000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                            0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                                0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                                 0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                             0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                   0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                                    0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                                      0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                                  0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                                   0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                                     0000000074a63698 3 bytes JMP 712d000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                                 0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                   0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                             0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                                 0000000074a66110 6 bytes JMP 716f000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                   0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                          0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                              0000000074a67603 6 bytes JMP 7175000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                             0000000074a67668 6 bytes JMP 7148000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                           0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                            0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                              0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                             0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                         0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                            0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                            0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                               0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                               0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                           0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                      0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                  0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                               0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                                  0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                    0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                    0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                           0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                             0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                                     0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                                 0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                        0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                                    0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                        00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                          00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                       00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                                      00000000757eb895 6 bytes JMP 7181000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                         00000000757ec332 6 bytes JMP 7187000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                        00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                       00000000757ee743 6 bytes JMP 7196000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                          0000000075814857 6 bytes JMP 7184000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                                0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                       0000000074b41465 2 bytes [B4, 74]
.text    C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe[3432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                      0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                  000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                              000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                  000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                              000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                       000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                   000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                               000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                           000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                            000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                        000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                  000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                              000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                            000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                        000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                          000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                      000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                           0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                       0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                        0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                    0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                             00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                         00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                        00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                    00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                         00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                     00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                            0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                            0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                        0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                        00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                    00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                           000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                       00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                             00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                         00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                        0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                    0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                               000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                           0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                         00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                     00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                             0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                         0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                    0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                   0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                               0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                         0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                     0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                     0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                 0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                             0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                            0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                        000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                         0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                          0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                      0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                   0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                            0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                     0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                         0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                          0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                      0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                            0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                             0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                               0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                           0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                            0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                              0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                          0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                            0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                      0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                          0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                            0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                   0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                       0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                      0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                    0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                     0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                       0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                      0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                  0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                     0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                     0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                        0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                        0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                    0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                               0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                           0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                        0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                           0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                             0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                             0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                    0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                      0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                              0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                          0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                 0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                             0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                 00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                   00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                               00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                  00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                 00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                   0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                               0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                    000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                                000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                    000000007705fb28 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                                000000007705fb2c 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                         000000007705fcb0 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                     000000007705fcb4 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                 000000007705fd64 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                             000000007705fd68 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                              000000007705fdc8 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                          000000007705fdcc 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                    000000007705fec0 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                                000000007705fec4 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                              000000007705ff74 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                          000000007705ff78 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                            000000007705ffa4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                        000000007705ffa8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                             0000000077060004 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                         0000000077060008 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                          0000000077060084 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                      0000000077060088 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                               00000000770600b4 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                           00000000770600b8 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                          00000000770603b8 3 bytes JMP 70c4000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                      00000000770603bc 2 bytes JMP 70c4000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                           00000000770603d0 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                       00000000770603d4 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                  0000000077060550 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                              0000000077060554 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                              0000000077060694 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                          0000000077060698 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                          00000000770606f4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                      00000000770606f8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                             000000007706079c 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                         00000000770607a0 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                               00000000770607e4 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                           00000000770607e8 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                          0000000077060874 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                      0000000077060878 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                 000000007706088c 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                             0000000077060890 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                           00000000770608a4 3 bytes JMP 70c7000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                       00000000770608a8 2 bytes JMP 70c7000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                               0000000077060df4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                           0000000077060df8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                      0000000077060ed8 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                  0000000077060edc 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                     0000000077061be4 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                                 0000000077061be8 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                           0000000077061cb4 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                       0000000077061cb8 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                       0000000077061d8c 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                   0000000077061d90 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                               0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                  0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                              0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                          000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                  0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                            0000000074a58332 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                        0000000074a58bff 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                     0000000074a590d3 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                              0000000074a59679 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                       0000000074a597d2 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                           0000000074a5ee09 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                            0000000074a5efc9 3 bytes JMP 711b000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                        0000000074a5efcd 2 bytes JMP 711b000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                              0000000074a612a5 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                               0000000074a6291f 6 bytes JMP 7133000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                                 0000000074a62d64 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                             0000000074a62d68 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                              0000000074a62da4 6 bytes JMP 7112000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                                0000000074a63698 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                            0000000074a6369c 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                              0000000074a63baa 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                        0000000074a63c61 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SetWindowLongA

Wilfried49 · 08.01.2015, 18:14

Code:

ATTFilter

                                                                     0000000074a66110 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                              0000000074a6612e 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                     0000000074a66c30 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                         0000000074a67603 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                        0000000074a67668 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                      0000000074a676e0 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                       0000000074a6781f 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                         0000000074a6835c 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                        0000000074a6c4b6 3 bytes JMP 7124000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                    0000000074a6c4ba 2 bytes JMP 7124000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                       0000000074a7c112 6 bytes JMP 713f000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                       0000000074a7d0f5 6 bytes JMP 713c000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                          0000000074a7eb96 6 bytes JMP 7130000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                          0000000074a7ec68 3 bytes JMP 7136000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                      0000000074a7ec6c 2 bytes JMP 7136000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                 0000000074a7ff4a 3 bytes JMP 7139000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                             0000000074a7ff4e 2 bytes JMP 7139000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                          0000000074a99f1d 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                             0000000074aa1497 6 bytes JMP 710f000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                               0000000074ab027b 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                               0000000074ab02bf 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                      0000000074ab6cfc 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                        0000000074ab6d5d 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                                0000000074ab7dd7 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                            0000000074ab7ddb 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                   0000000074ab88eb 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                               0000000074ab88ef 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                   00000000757e58b3 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                     00000000757e5ea6 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                  00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                                 00000000757eb895 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                    00000000757ec332 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                   00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                  00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                     0000000075814857 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                           0000000074a0124e 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                  0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                 0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                              000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                                          000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                              000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                                          000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                                   000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                               000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                           000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                       000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                                        000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                                    000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                              000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                                          000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                                        000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                                    000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                                      000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                                  000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                                       0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                                   0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                                    0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                                0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                         00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                                     00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                                    00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                                00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                                     00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                                 00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                            0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                                        0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                                        0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                                    0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                                    00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                                00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                                       000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                                   00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                                         00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                                     00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                                    0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                                0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                           000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                                       0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                                     00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                                 00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                                         0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                                     0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                            0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                               0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                                           0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                                     0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                                 0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                                 0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                             0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                                         0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW                                                                                                                                            0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4                                                                                                                                        0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                    000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                            0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                                      0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                                  0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                               0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                        0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                                 0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                                     0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                                      0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                                  0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                        0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                                         0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                                           0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                                       0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                                        0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                                          0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                                      0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                        0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                                  0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                                      0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                        0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                               0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                                   0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                                  0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                                0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                                 0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                                   0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                                  0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                              0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                                 0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                                 0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                                    0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                                    0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                                0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                           0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                       0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                                    0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                                       0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                         0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                         0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                                0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                                  0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                                          0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                                      0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                             0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                                         0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                             00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                               00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                            00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                                           00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                              00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                             00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                            00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                               0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                                     0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                            0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                           0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                     000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                                 000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                     000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                                 000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                          000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                      000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                  000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                              000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                               000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                           000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                     000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                                 000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                               000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                           000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                             000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                         000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                              0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                          0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                           0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                       0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                            00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                           00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                       00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                            00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                        00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                   0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                               0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                               0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                           0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                           00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                       00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                              000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                          00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                                00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                            00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                           0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                       0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                  000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                              0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                            00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                        00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                                0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                            0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                       0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                   0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                      0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                                  0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                            0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                        0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                        0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                    0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                                0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                   0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                               0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                           000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                   0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                             0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                         0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                      0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                               0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                        0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                            0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                             0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                         0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                               0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                                0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                                  0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                              0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                               0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                                 0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                             0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                               0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                         0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                             0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                               0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                      0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                          0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                         0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                       0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                        0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                          0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                         0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                     0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                        0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                        0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                           0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                           0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                       0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                  0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                              0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                           0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                              0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                       0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                         0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                                 0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                             0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                    0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                                0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                    00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                      00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                   00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                                  00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                     00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                    00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                   00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                      0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                            0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                   0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                  0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                     000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                                 000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                     000000007705fb28 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                                 000000007705fb2c 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                          000000007705fcb0 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                      000000007705fcb4 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                  000000007705fd64 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                              000000007705fd68 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                               000000007705fdc8 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                           000000007705fdcc 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                     000000007705fec0 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                                 000000007705fec4 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                               000000007705ff74 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                           000000007705ff78 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                             000000007705ffa4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                         000000007705ffa8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                              0000000077060004 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                          0000000077060008 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                           0000000077060084 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                       0000000077060088 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                00000000770600b4 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                            00000000770600b8 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                           00000000770603b8 3 bytes JMP 70c4000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                       00000000770603bc 2 bytes JMP 70c4000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                            00000000770603d0 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                        00000000770603d4 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                   0000000077060550 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                               0000000077060554 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                               0000000077060694 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                           0000000077060698 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                           00000000770606f4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                       00000000770606f8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                              000000007706079c 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                          00000000770607a0 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                                00000000770607e4 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                            00000000770607e8 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                           0000000077060874 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                       0000000077060878 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                  000000007706088c 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                              0000000077060890 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                            00000000770608a4 3 bytes JMP 70c7000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                        00000000770608a8 2 bytes JMP 70c7000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                                0000000077060df4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                            0000000077060df8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                       0000000077060ed8 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                   0000000077060edc 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                      0000000077061be4 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                                  0000000077061be8 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                            0000000077061cb4 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                        0000000077061cb8 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                        0000000077061d8c 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                    0000000077061d90 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                                0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                   0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                               0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                           000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                   0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                             0000000074a58332 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                         0000000074a58bff 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                      0000000074a590d3 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                               0000000074a59679 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                        0000000074a597d2 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                            0000000074a5ee09 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                             0000000074a5efc9 3 bytes JMP 711b000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                         0000000074a5efcd 2 bytes JMP 711b000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                               0000000074a612a5 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                                0000000074a6291f 6 bytes JMP 7133000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                                  0000000074a62d64 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                              0000000074a62d68 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                               0000000074a62da4 6 bytes JMP 7112000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                                 0000000074a63698 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                             0000000074a6369c 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                               0000000074a63baa 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                         0000000074a63c61 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                             0000000074a66110 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                               0000000074a6612e 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                      0000000074a66c30 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                          0000000074a67603 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                         0000000074a67668 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                       0000000074a676e0 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                        0000000074a6781f 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                          0000000074a6835c 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                         0000000074a6c4b6 3 bytes JMP 7124000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                     0000000074a6c4ba 2 bytes JMP 7124000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                        0000000074a7c112 6 bytes JMP 713f000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                        0000000074a7d0f5 6 bytes JMP 713c000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                           0000000074a7eb96 6 bytes JMP 7130000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                           0000000074a7ec68 3 bytes JMP 7136000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                       0000000074a7ec6c 2 bytes JMP 7136000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                  0000000074a7ff4a 3 bytes JMP 7139000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                              0000000074a7ff4e 2 bytes JMP 7139000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                           0000000074a99f1d 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                              0000000074aa1497 6 bytes JMP 710f000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                0000000074ab027b 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                0000000074ab02bf 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                       0000000074ab6cfc 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                         0000000074ab6d5d 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                                 0000000074ab7dd7 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                             0000000074ab7ddb 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                    0000000074ab88eb 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                                0000000074ab88ef 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                    00000000757e58b3 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                      00000000757e5ea6 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                   00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                                  00000000757eb895 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                     00000000757ec332 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                    00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                   00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                      0000000075814857 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                            0000000074a0124e 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                   0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                  0000000074b414bb 2 bytes [B4, 74]
.text    ...

Wilfried49 · 08.01.2015, 18:15

Code:

ATTFilter

                                             * 2
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                          000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                                      000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                          000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                                      000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                               000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                           000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                       000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                   000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                                    000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                                000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                          000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                                      000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                                    000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                                000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                                  000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                              000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                                   0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                               0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                                0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                            0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                     00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                                 00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                                00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                            00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                                 00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                             00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                        0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                                    0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                                    0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                                0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                                00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                            00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                                   000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                               00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                                     00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                                 00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                                0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                            0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                       000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                                   0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                                 00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                             00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                                     0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                                 0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                            0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                        0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                           0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                                       0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                                 0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                             0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                             0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                         0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                                     0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                        0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                    0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                        0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                         00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                           00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                        00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                                       00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                          00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                         00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                        00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                           0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                                  0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                              0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                           0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                    0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                             0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                                 0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                                  0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                              0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                    0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                                     0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                                       0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                                   0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                                    0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                                      0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                                  0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                    0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                              0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                                  0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                    0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                           0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                               0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                              0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                            0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                             0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                               0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                              0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                          0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                             0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                             0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                                0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                                0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                            0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                       0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                   0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                                0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                                   0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                     0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                     0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                            0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                              0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                                      0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                                  0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                         0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                                     0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                                 0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                        0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                       0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
?        C:\Windows\system32\mssprxy.dll [3828] entry point in ".rdata" section                                                                                                                                                                                      00000000642a71e6
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                            000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                            000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                     000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                 000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                             000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                         000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                          000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                      000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                            000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                          000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                      000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                        000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                    000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                         0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                     0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                      0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                  0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                           00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                       00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                      00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                  00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                       00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                   00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                              0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                          0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                          0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                      0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                      00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                  00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                         000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                     00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                           00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                       00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                      0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                  0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                             000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                         0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                       00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                   00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                           0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                       0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                  0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                              0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                 0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                             0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                       0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                   0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                   0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                               0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                           0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                              0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                          0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                      000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                              0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                       0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                               00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                 00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                              00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                             00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                               00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                              00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                 0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                        0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                    0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                 0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                          0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                   0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                       0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                        0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                    0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                          0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                           0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                             0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                         0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                          0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                            0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                        0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                          0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                    0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                        0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                          0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                 0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                     0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                    0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                  0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                   0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                     0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                    0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                   0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                   0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                      0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                      0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                  0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                             0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                         0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                      0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                         0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                           0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                           0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                  0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                    0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                            0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                        0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                               0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                           0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                              0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                             0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                                  000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                                              000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                                  000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                                              000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                                       000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                                   000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                               000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                           000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                                            000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                                        000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                  000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                                              000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                                            000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                                        000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                                          000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                                      000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                                           0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                                       0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                                        0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                                    0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                             00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                                         00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                                        00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                                    00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                                         00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                                     00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                                            0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                                            0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                                        0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                                        00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                                    00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                                           000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                                       00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                                             00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                                         00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                                        0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                                    0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                               000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                                           0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                                         00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                                     00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                                             0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                                         0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                    0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                                0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                                   0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                                               0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                                         0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                                     0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                                     0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                                 0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                                             0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                                0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                            0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                        000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                                0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                                         0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                                 00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                                   00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                                00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                                               00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                                  00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                                 00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                                00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                                   0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                                          0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                                      0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                                   0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                            0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                                     0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                                         0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                                          0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                                      0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                            0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                                             0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                                               0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                                           0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                                            0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                                              0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                                          0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                            0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                                      0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                                          0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                            0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                                   0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                                       0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                                      0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                                    0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                                     0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                                       0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                                      0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                                  0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                                     0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                                     0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                                        0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                                        0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                                    0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                               0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                           0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                                        0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                                           0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                             0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                             0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                                    0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                                      0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                                              0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                                          0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                                 0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                                             0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                                0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                               0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                      0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                           0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                           0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                        0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                     0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                           0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                     0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                   0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                    0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                 0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                      0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                 0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                  0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                         0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                     0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                 0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                    0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                      0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                 0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                        0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                  0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                      0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                             0000000076eb2130 6 bytes JMP 98eda70
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                            0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                  0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                              0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                         000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\SearchIndexer.exe[3916] C:\Windows\system32\SSPICLI.DLL!EncryptMessage                                                                                                                                                                  00000000013250a0 6 bytes JMP b3e9
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                  0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                       0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                       0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                            0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                    0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                 0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                       0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                 0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                               0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                             0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                  0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                             0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                              0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                     0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                 0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                             0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                  0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                             0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                    0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                              0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                  0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                         0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                        0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem

Wilfried49 · 08.01.2015, 18:17

Code:

ATTFilter

                                                    0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                          0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                     0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                     000007fefcf69055 3 bytes [B5, 6F, 06]
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                             000007fefcf753c0 5 bytes JMP 0
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                      000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                        000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                       000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                     000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                     000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                      000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                    000007feff10b9f8 6 bytes JMP 14bd18
.text    C:\Program Files\iPod\bin\iPodService.exe[2248] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                        000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                            000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                            000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                     000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                 000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                             000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                         000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                          000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                      000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                            000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                          000000007705ff74 3 bytes JMP 7109000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                      000000007705ff78 2 bytes JMP 7109000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                        000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                    000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                         0000000077060004 3 bytes JMP 70fd000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                     0000000077060008 2 bytes JMP 70fd000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                      0000000077060084 3 bytes JMP 70fa000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                  0000000077060088 2 bytes JMP 70fa000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                           00000000770600b4 3 bytes JMP 70df000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                       00000000770600b8 2 bytes JMP 70df000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                      00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                  00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                       00000000770603d0 3 bytes JMP 710f000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                   00000000770603d4 2 bytes JMP 710f000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                              0000000077060550 3 bytes JMP 7112000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                          0000000077060554 2 bytes JMP 7112000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                          0000000077060694 3 bytes JMP 70ee000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                      0000000077060698 2 bytes JMP 70ee000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                      00000000770606f4 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                  00000000770606f8 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                         000000007706079c 3 bytes JMP 710c000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                     00000000770607a0 2 bytes JMP 710c000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                           00000000770607e4 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                       00000000770607e8 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                      0000000077060874 3 bytes JMP 7103000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                  0000000077060878 2 bytes JMP 7103000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                             000000007706088c 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                         0000000077060890 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                       00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                   00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                           0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                       0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                  0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                              0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                 0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                             0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                       0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                   0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                   0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                               0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                           0000000077081287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                              0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                          0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                      000000007578f784 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                              0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                        0000000074a58332 6 bytes JMP 716c000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                    0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                 0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                          0000000074a59679 6 bytes JMP 715a000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                   0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                       0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                        0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                    0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                          0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                           0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                             0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                         0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                          0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                            0000000074a63698 3 bytes JMP 712d000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                        0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                          0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                    0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                        0000000074a66110 6 bytes JMP 716f000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                          0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                 0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                     0000000074a67603 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                    0000000074a67668 6 bytes JMP 7148000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                  0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                   0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                     0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                    0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                   0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                   0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                      0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                      0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                  0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                             0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                         0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                      0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                         0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                           0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                           0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                  0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                    0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                            0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                        0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                               0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                           0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                               00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                 00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                              00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                             00000000757eb895 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                00000000757ec332 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                               00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                              00000000757ee743 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                 0000000075814857 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                       0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                              0000000074b41465 2 bytes [B4, 74]
.text    C:\Program Files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe[3728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                             0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                                                                      0000000076e83b10 6 bytes {JMP QWORD [RIP+0x91bc520]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                                                                           0000000076eb13a0 6 bytes {JMP QWORD [RIP+0x916ec90]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                                                                                                           0000000076eb1470 6 bytes {JMP QWORD [RIP+0x990ebc0]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                                                                0000000076eb1570 6 bytes {JMP QWORD [RIP+0x97aeac0]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                        0000000076eb15e0 6 bytes {JMP QWORD [RIP+0x988ea50]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                                                     0000000076eb1620 6 bytes {JMP QWORD [RIP+0x984ea10]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                           0000000076eb16c0 6 bytes {JMP QWORD [RIP+0x98ae970]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                                                     0000000076eb1730 6 bytes {JMP QWORD [RIP+0x96ae900]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                                                                   0000000076eb1750 6 bytes {JMP QWORD [RIP+0x982e8e0]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                                                                    0000000076eb1790 6 bytes {JMP QWORD [RIP+0x972e8a0]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                                                                 0000000076eb17e0 6 bytes {JMP QWORD [RIP+0x974e850]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                      0000000076eb1800 6 bytes {JMP QWORD [RIP+0x986e830]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                 0000000076eb19f0 6 bytes {JMP QWORD [RIP+0x994e640]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                  0000000076eb1a00 6 bytes {JMP QWORD [RIP+0x966e630]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                         0000000076eb1b00 6 bytes {JMP QWORD [RIP+0x964e530]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                                                                     0000000076eb1bd0 6 bytes {JMP QWORD [RIP+0x97ce460]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                                                                 0000000076eb1c10 6 bytes {JMP QWORD [RIP+0x96ce420]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                                                                    0000000076eb1c80 6 bytes {JMP QWORD [RIP+0x968e3b0]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort                                                                                                                                                                      0000000076eb1cb0 6 bytes {JMP QWORD [RIP+0x970e380]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                                                                 0000000076eb1d10 6 bytes {JMP QWORD [RIP+0x96ee320]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                        0000000076eb1d20 6 bytes {JMP QWORD [RIP+0x98ce310]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                                                                  0000000076eb1d30 6 bytes {JMP QWORD [RIP+0x992e300]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                                                      0000000076eb20a0 6 bytes {JMP QWORD [RIP+0x97edf90]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                             0000000076eb2130 6 bytes {JMP QWORD [RIP+0x98edf00]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                                                            0000000076eb29a0 6 bytes {JMP QWORD [RIP+0x980d690]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                                                                  0000000076eb2a20 6 bytes {JMP QWORD [RIP+0x976d610]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                                                              0000000076eb2aa0 6 bytes {JMP QWORD [RIP+0x978d590]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                         0000000076c5db80 6 bytes {JMP QWORD [RIP+0x94024b0]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                         000007fefcf69055 3 bytes CALL 9000027
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                 000007fefcf753c0 5 bytes JMP 0
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                                                                          000007feff1022cc 6 bytes {JMP QWORD [RIP+0xfdd64]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                                                            000007feff1024c0 6 bytes {JMP QWORD [RIP+0x11db70]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                                                                           000007feff105bf0 6 bytes {JMP QWORD [RIP+0x13a440]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                                                                         000007feff108398 6 bytes {JMP QWORD [RIP+0xb7c98]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                                                                         000007feff1089d8 6 bytes {JMP QWORD [RIP+0x97658]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                                                                          000007feff109344 6 bytes {JMP QWORD [RIP+0xd6cec]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                                                                        000007feff10b9f8 6 bytes {JMP QWORD [RIP+0x174638]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                                                            000007feff10c8e0 6 bytes {JMP QWORD [RIP+0x153750]}
.text    C:\Windows\system32\wbem\wmiprvse.exe[4676] C:\Windows\system32\SspiCli.dll!EncryptMessage                                                                                                                                                                  0000000000f750a0 6 bytes {JMP QWORD [RIP+0x7daf90]}
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                                            000000007705f9e0 3 bytes JMP 71af000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                                                                        000000007705f9e4 2 bytes JMP 71af000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                                                                                            000000007705fb28 3 bytes JMP 70d0000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4                                                                                                                                                        000000007705fb2c 2 bytes JMP 70d0000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                                                                                 000000007705fcb0 3 bytes JMP 70f1000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                                                                             000000007705fcb4 2 bytes JMP 70f1000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                                         000000007705fd64 3 bytes JMP 70dc000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                                     000000007705fd68 2 bytes JMP 70dc000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                                                                      000000007705fdc8 3 bytes JMP 70e2000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                                                                                  000000007705fdcc 2 bytes JMP 70e2000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                                                                            000000007705fec0 3 bytes JMP 70d9000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                                                                        000000007705fec4 2 bytes JMP 70d9000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent                                                                                                                                                                      000000007705ff74 3 bytes JMP 7109000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4                                                                                                                                                                  000000007705ff78 2 bytes JMP 7109000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                                                                                    000000007705ffa4 3 bytes JMP 70e5000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                                                                                000000007705ffa8 2 bytes JMP 70e5000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                                                                     0000000077060004 3 bytes JMP 70fd000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                                                                                 0000000077060008 2 bytes JMP 70fd000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                                                                                  0000000077060084 3 bytes JMP 70fa000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                                                                              0000000077060088 2 bytes JMP 70fa000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                                       00000000770600b4 3 bytes JMP 70df000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                                                   00000000770600b8 2 bytes JMP 70df000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                                                                                  00000000770603b8 3 bytes JMP 70ca000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                                                                              00000000770603bc 2 bytes JMP 70ca000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort                                                                                                                                                                   00000000770603d0 3 bytes JMP 710f000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4                                                                                                                                                               00000000770603d4 2 bytes JMP 710f000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                                                          0000000077060550 3 bytes JMP 7112000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                                                                      0000000077060554 2 bytes JMP 7112000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                                                                      0000000077060694 3 bytes JMP 70ee000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                                                                                  0000000077060698 2 bytes JMP 70ee000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair                                                                                                                                                                  00000000770606f4 3 bytes JMP 7106000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4                                                                                                                                                              00000000770606f8 2 bytes JMP 7106000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                                                                                     000000007706079c 3 bytes JMP 710c000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4                                                                                                                                                                 00000000770607a0 2 bytes JMP 710c000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort                                                                                                                                                                       00000000770607e4 3 bytes JMP 7100000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4                                                                                                                                                                   00000000770607e8 2 bytes JMP 7100000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore                                                                                                                                                                  0000000077060874 3 bytes JMP 7103000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4                                                                                                                                                              0000000077060878 2 bytes JMP 7103000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                                                                         000000007706088c 3 bytes JMP 70d6000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                                                                     0000000077060890 2 bytes JMP 70d6000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                                                                                   00000000770608a4 3 bytes JMP 70cd000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                                                                               00000000770608a8 2 bytes JMP 70cd000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                                                                       0000000077060df4 3 bytes JMP 70eb000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                                                                                   0000000077060df8 2 bytes JMP 70eb000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                                                                              0000000077060ed8 3 bytes JMP 70d3000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                                                                          0000000077060edc 2 bytes JMP 70d3000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                                                                             0000000077061be4 3 bytes JMP 70e8000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                                                                         0000000077061be8 2 bytes JMP 70e8000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                                                                                   0000000077061cb4 3 bytes JMP 70f7000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                                                                               0000000077061cb8 2 bytes JMP 70f7000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                                                                               0000000077061d8c 3 bytes JMP 70f4000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                                                                           0000000077061d90 2 bytes JMP 70f4000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                                                                       0000000077081287 6 bytes JMP 71a8000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                                          0000000074fa3bbb 3 bytes JMP 719c000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                                      0000000074fa3bbf 2 bytes JMP 719c000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                                                                  000000007578f784 6 bytes JMP 719f000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                                          0000000075792c9e 4 bytes CALL 71ac0000
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                                                                                    0000000074a58332 6 bytes JMP 716c000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                                                                                0000000074a58bff 6 bytes JMP 7160000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                                                                             0000000074a590d3 6 bytes JMP 711b000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                                      0000000074a59679 6 bytes JMP 715a000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                                                                               0000000074a597d2 6 bytes JMP 7154000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                                                                                   0000000074a5ee09 6 bytes JMP 7172000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                                                                                    0000000074a5efc9 3 bytes JMP 7121000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                                                                                0000000074a5efcd 2 bytes JMP 7121000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                                      0000000074a612a5 6 bytes JMP 7166000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                                                                       0000000074a6291f 6 bytes JMP 7139000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                                                                         0000000074a62d64 3 bytes JMP 7130000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                                                                     0000000074a62d68 2 bytes JMP 7130000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                                                                      0000000074a62da4 6 bytes JMP 7118000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                                                                        0000000074a63698 3 bytes JMP 712d000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                                                                                    0000000074a6369c 2 bytes JMP 712d000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                                      0000000074a63baa 6 bytes JMP 7169000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                                                                                0000000074a63c61 6 bytes JMP 7163000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                                                                                    0000000074a66110 6 bytes JMP 716f000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                                      0000000074a6612e 6 bytes JMP 715d000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                                                                             0000000074a66c30 6 bytes JMP 711e000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                                                 0000000074a67603 6 bytes JMP 7175000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                                                                                0000000074a67668 6 bytes JMP 7148000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                                                                              0000000074a676e0 6 bytes JMP 714e000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                                                                               0000000074a6781f 6 bytes JMP 7157000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                                                                                 0000000074a6835c 6 bytes JMP 7178000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                                                                                0000000074a6c4b6 3 bytes JMP 712a000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                                                                            0000000074a6c4ba 2 bytes JMP 712a000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                                                                               0000000074a7c112 6 bytes JMP 7145000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                                                                               0000000074a7d0f5 6 bytes JMP 7142000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                                                                                  0000000074a7eb96 6 bytes JMP 7136000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                                                                                  0000000074a7ec68 3 bytes JMP 713c000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                                                                              0000000074a7ec6c 2 bytes JMP 713c000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                                         0000000074a7ff4a 3 bytes JMP 713f000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                                     0000000074a7ff4e 2 bytes JMP 713f000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                                                                                  0000000074a99f1d 6 bytes JMP 7124000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                                                                     0000000074aa1497 6 bytes JMP 7115000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                                       0000000074ab027b 6 bytes JMP 717b000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                                       0000000074ab02bf 6 bytes JMP 717e000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                                                                              0000000074ab6cfc 6 bytes JMP 7151000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                                                                                0000000074ab6d5d 6 bytes JMP 714b000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                                                                        0000000074ab7dd7 3 bytes JMP 7127000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                                                                                    0000000074ab7ddb 2 bytes JMP 7127000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                                                                           0000000074ab88eb 3 bytes JMP 7133000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                                                                       0000000074ab88ef 2 bytes JMP 7133000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                                                                           00000000757e58b3 6 bytes JMP 7190000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                                                                             00000000757e5ea6 6 bytes JMP 718a000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                                                                          00000000757e7bcc 6 bytes JMP 7199000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                                                                         00000000757eb895 6 bytes JMP 7181000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                                                                            00000000757ec332 6 bytes JMP 7187000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                                                                           00000000757ecbfb 6 bytes JMP 7193000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                                                                          00000000757ee743 6 bytes JMP 7196000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                                                                             0000000075814857 6 bytes JMP 7184000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                                                                                   0000000074a0124e 6 bytes JMP 718d000a
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                                          0000000074b41465 2 bytes [B4, 74]
.text    C:\Users\Tobias\Desktop\o5lw8g6g.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                                         0000000074b414bb 2 bytes [B4, 74]
.text    ...                                                                                                                                                                                                                                                         * 2
---- Processes - GMER 2.1 ----

Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46)        0000000062dd0000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38)            0000000062ad0000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432](2014-10-22 00:22:50)                                                                                        0000000062a10000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38)           0000000062620000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (ICU I18N DLL/The ICU Project)(2014-10-22 00:22:50)                                                           000000004a900000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (ICU Common DLL/The ICU Project)(2014-10-22 00:22:50)                                                         0000000004ac0000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (ICU Data DLL/The ICU Project)(2014-10-22 00:22:50)                                                           000000004ad00000
Library  c:\users\tobias\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpzklvrb.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432](2015-01-08 13:15:40)                                       0000000004620000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38)        0000000060940000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40)         000000005f890000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40)          000000005e880000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40)            000000005e620000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40)            00000000737d0000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432](2014-10-22 00:22:50)                                                                                           0000000073c30000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46)  00000000737a0000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38)         000000005df30000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38)   000000005dee0000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432](2014-10-22 00:22:48)                                                                       000000005dd80000
Library  C:\Users\Tobias\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Tobias\AppData\Roaming\Dropbox\bin\Dropbox.exe [3432](2014-10-22 00:22:46)                                                                       000000005dbe0000
Library  C:\ProgramData\Razer\Synapse\Devices\RazerConfigNative.dll (*** suspicious ***) @ C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [3584] (Razer Configurator/Razer Inc.)(2014-04-25 05:11:42)                                                            000000005bfe0000

---- Registry - GMER 2.1 ----

Reg      HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue                                                                                                                                                                       0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue                                                                                                                                                                                 0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue                                                                                                                                                                              0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue                                                                                                                                                                           0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue                                                                                                                                                                                     0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue                                                                                                                                                                                  0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue                                                                                                                                                                                                           0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue                                                                                                                                                                                                  0x5C 0x00 0x52 0x00 ...

---- EOF - GMER 2.1 ----

So, das waren jetzt alle Log-Files!

schrauber · 08.01.2015, 20:03

Lade Dir bitte von hier

Revo Uninstaller (alternativ portable Revo Uninstaller) herunter.

Installiere und starte das Programm. (Bebilderte Anleitung zu Revo Uninstaller)
Klicke auf Optionen und wähle als Sprache Deutsch.
Suche im Uninstallerfeld nach den Programmen:

SimilarWeb
Wähle die Programme nacheinander aus und klicke jedes Mal auf Uninstall.
Wähle anschließend den Modus "Moderat" aus.
Reste löschen:
Klicke auf dann auf und dann auf .

Downloade dir bitte

TDSSKiller.exe und speichere diese Datei auf dem Desktop

Starte die TDSSKiller.exe - Einstellen wie in der Anleitung zu TDSSKiller beschrieben.
Drücke Start Scan
Sollten infizierte Objekte gefunden werden, wähle keinesfalls Cure. Wähle Skip und klicke auf Continue.
TDSSKiller wird eine Logfile auf deinem Systemlaufwerk speichern (Meistens C:\)
Als Beispiel: C:\TDSSKiller.<Version_Datum_Uhrzeit>log.txt

Poste den Inhalt bitte in jedem Fall hier in deinen Thread.

Downloade dir bitte

Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.

Starte bitte die mbar.exe.
Folge den Anweisungen auf deinem Bildschirm gemäß Anleitung zu Malwarebytes Anti-Rootkit
Aktualisiere unbedingt die Datenbank und erlaube dem Tool, dein System zu scannen.
Klicke auf den CleanUp Button und erlaube den Neustart.
Während dem Neustart wird MBAR die gefundenen Objekte entfernen, also bleib geduldig.
Nach dem Neustart starte die mbar.exe erneut.
Sollte nochmal was gefunden werden, wiederhole den CleanUp Prozess.

Das Tool wird im erstellten Ordner eine Logfile ( mbar-log-<Jahr-Monat-Tag>.txt ) erzeugen. Bitte poste diese hier.

Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers