GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-08-28 18:26:34 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HGST_HTS rev.GG2Z 465,76GB Running: m57g1hli.exe; Driver: C:\Users\Ania\AppData\Local\Temp\kwliqpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031f1000 16 bytes [C1, 03, 0F, 85, 78, FF, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 546 fffff800031f1012 5 bytes [05, A9, CA, 22, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 0000000149b80450 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 0000000149b80370 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 0000000149b803e0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 0000000149b80320 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 0000000149b803b0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 0000000149b80390 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 0000000149b802e0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 0000000149b802d0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 0000000149b80310 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 0000000149b803c0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 0000000149b803f0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 0000000149b80230 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 0000000149b803a0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 0000000149b802f0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 0000000149b80350 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 0000000149b80290 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 0000000149b802b0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 0000000149b803d0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 0000000149b80330 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 0000000149b80410 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 0000000149b80240 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 0000000149b801e0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 0000000149b80250 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 0000000149b80490 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 0000000149b804a0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 0000000149b80300 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 0000000149b80360 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 0000000149b802a0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 0000000149b802c0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 0000000149b80380 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 0000000149b80340 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 0000000149b80440 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 0000000149b80260 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 0000000149b80270 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 0000000149b80400 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 0000000149b801f0 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 0000000149b80210 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 0000000149b80200 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 0000000149b80420 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 0000000149b80430 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 0000000149b80220 .text C:\Windows\system32\csrss.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 0000000149b80280 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777a0250 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777a04a0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\wininit.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\wininit.exe[744] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777a0450 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777a0230 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777a03d0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777a0330 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777a0250 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777a0490 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777a04a0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\winlogon.exe[780] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\services.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\services.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Windows\system32\services.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\system32\services.exe[840] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\services.exe[840] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefebf4750 6 bytes {JMP QWORD [RIP+0x1db8e0]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd1e50a0 6 bytes JMP 9b3 .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000774f6ef0 6 bytes {JMP QWORD [RIP+0x8ee9140]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000774f8184 6 bytes {JMP QWORD [RIP+0x8fc7eac]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SetParent 00000000774f8530 6 bytes {JMP QWORD [RIP+0x8f07b00]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000774f9bcc 6 bytes {JMP QWORD [RIP+0x8c66464]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!PostMessageA 00000000774fa404 6 bytes {JMP QWORD [RIP+0x8ca5c2c]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!EnableWindow 00000000774faaa0 6 bytes {JMP QWORD [RIP+0x9005590]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!MoveWindow 00000000774faad0 6 bytes {JMP QWORD [RIP+0x8f25560]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000774fc720 6 bytes {JMP QWORD [RIP+0x8ec3910]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000774fcd50 6 bytes {JMP QWORD [RIP+0x8fa32e0]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000774fd2b0 6 bytes {JMP QWORD [RIP+0x8ce2d80]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SendMessageA 00000000774fd338 6 bytes {JMP QWORD [RIP+0x8d22cf8]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000774fdc40 6 bytes {JMP QWORD [RIP+0x8e023f0]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000774ff510 6 bytes {JMP QWORD [RIP+0x8fe0b20]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000774ff874 6 bytes {JMP QWORD [RIP+0x8c207bc]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000774ffac0 6 bytes {JMP QWORD [RIP+0x8d80570]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077500b74 6 bytes {JMP QWORD [RIP+0x8cff4bc]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000775033b0 6 bytes {JMP QWORD [RIP+0x8c7cc80]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077504d4d 5 bytes {JMP QWORD [RIP+0x8c3b2e4]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!GetKeyState 0000000077505010 6 bytes {JMP QWORD [RIP+0x8e9b020]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077505438 6 bytes {JMP QWORD [RIP+0x8dbabf8]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SendMessageW 0000000077506b50 6 bytes {JMP QWORD [RIP+0x8d394e0]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!PostMessageW 00000000775076e4 6 bytes {JMP QWORD [RIP+0x8cb894c]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007750dd90 6 bytes {JMP QWORD [RIP+0x8e322a0]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!GetClipboardData 000000007750e874 6 bytes {JMP QWORD [RIP+0x8f717bc]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007750f780 6 bytes {JMP QWORD [RIP+0x8f308b0]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000775128e4 6 bytes {JMP QWORD [RIP+0x8dcd74c]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!mouse_event 0000000077513894 6 bytes {JMP QWORD [RIP+0x8bcc79c]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077518a10 6 bytes {JMP QWORD [RIP+0x8e67620]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077518be0 6 bytes {JMP QWORD [RIP+0x8d47450]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077518c20 6 bytes {JMP QWORD [RIP+0x8be7410]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SendInput 0000000077518cd0 6 bytes {JMP QWORD [RIP+0x8e47360]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!BlockInput 000000007751ad60 6 bytes {JMP QWORD [RIP+0x8f452d0]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000775414e0 6 bytes {JMP QWORD [RIP+0x8fdeb50]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!keybd_event 00000000775645a4 6 bytes {JMP QWORD [RIP+0x8b5ba8c]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007756cc08 6 bytes {JMP QWORD [RIP+0x8db3428]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007756df18 6 bytes {JMP QWORD [RIP+0x8d32118]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\services.exe[840] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\lsass.exe[848] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\system32\lsass.exe[848] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsass.exe[848] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff00a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\lsass.exe[848] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff030c10 6 bytes JMP 1f501f40 .text C:\Windows\system32\lsass.exe[848] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000d850a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\lsm.exe[856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\lsm.exe[856] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsm.exe[856] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes JMP 701b .text C:\Windows\system32\lsm.exe[856] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\lsm.exe[856] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes JMP 750059 .text C:\Windows\system32\lsm.exe[856] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000d850a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefebf4750 6 bytes {JMP QWORD [RIP+0x1db8e0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes [F6, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes [02, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes [F3, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes [DB, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes [F0, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes [D8, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes [ED, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes [FC, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes [F9, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007520124e 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes [14, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes [23, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes [20, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes [1D, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes [2F, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes [32, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes [1A, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes [26, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075591465 2 bytes [59, 75] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755914bb 2 bytes [59, 75] .text ... * 2 .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 6 bytes {JMP QWORD [RIP+0x8f9eac0]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x907ea50]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 6 bytes {JMP QWORD [RIP+0x903ea10]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x909e970]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 6 bytes {JMP QWORD [RIP+0x901e8e0]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 6 bytes {JMP QWORD [RIP+0x8f1e8a0]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 6 bytes {JMP QWORD [RIP+0x8f3e850]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x905e830]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x911e640]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 6 bytes {JMP QWORD [RIP+0x8efe530]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x8fbe460]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x90be310]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 6 bytes {JMP QWORD [RIP+0x90fe300]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 6 bytes {JMP QWORD [RIP+0x8fddf90]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x90ddf00]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 6 bytes {JMP QWORD [RIP+0x8ffd690]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 6 bytes {JMP QWORD [RIP+0x8f5d610]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 6 bytes {JMP QWORD [RIP+0x8f7d590]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 79000026 .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x57db78]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x59a450]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]} .text C:\Windows\system32\nvvsvc.exe[544] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 6 bytes {JMP QWORD [RIP+0x8f9eac0]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x907ea50]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 6 bytes {JMP QWORD [RIP+0x903ea10]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x909e970]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 6 bytes {JMP QWORD [RIP+0x901e8e0]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 6 bytes {JMP QWORD [RIP+0x8f1e8a0]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 6 bytes {JMP QWORD [RIP+0x8f3e850]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x905e830]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x911e640]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 6 bytes {JMP QWORD [RIP+0x8efe530]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x8fbe460]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x90be310]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 6 bytes {JMP QWORD [RIP+0x90fe300]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 6 bytes {JMP QWORD [RIP+0x8fddf90]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x90ddf00]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 6 bytes {JMP QWORD [RIP+0x8ffd690]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 6 bytes {JMP QWORD [RIP+0x8f5d610]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 6 bytes {JMP QWORD [RIP+0x8f7d590]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefebf4750 6 bytes {JMP QWORD [RIP+0x1db8e0]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff00a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff030c10 6 bytes JMP 1f501f40 .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000e250a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777a0460 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777a0450 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077641430 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777a0370 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777a0470 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777a03e0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777a0320 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777a03b0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777a0390 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777a02e0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777a02d0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777a0310 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777a03c0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777a03f0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 8 bytes JMP 000000016fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777a0230 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777a0480 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777a03a0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777a02f0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777a0350 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777a0290 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777a02b0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777a03d0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777a0330 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777a0410 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777a0240 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777a01e0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777a0250 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777a0490 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777a04a0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777a0300 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777a0360 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777a02a0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777a02c0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777a0380 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777a0340 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777a0440 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777a0260 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777a0270 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777a0400 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777a01f0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777a0210 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777a0200 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777a0420 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777a0430 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777a0220 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes JMP 274600 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes JMP 1094adb .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes JMP 89e2770 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes JMP 9114528 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes JMP 3000c .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes JMP a .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes JMP 90c73e0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes JMP 6000c .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes JMP abfe8d0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes JMP 90ef640 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes JMP b .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes JMP 5ecc941 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes JMP 233881 .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes JMP 40003e .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff00a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\System32\svchost.exe[1168] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff030c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Windows\System32\svchost.exe[1168] C:\Windows\System32\SspiCli.dll!EncryptMessage 0000000000f550a0 6 bytes {JMP QWORD [RIP+0xcaf90]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1196] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1196] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000f550a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefebf4750 6 bytes {JMP QWORD [RIP+0x1db8e0]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff00a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff030c10 6 bytes JMP 1f501f40 .text C:\Windows\system32\svchost.exe[1232] c:\windows\system32\SspiCli.dll!EncryptMessage 0000000000f150a0 6 bytes {JMP QWORD [RIP+0x4aaf90]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\System32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\System32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x554648]} .text C:\Windows\system32\AUDIODG.EXE[1312] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes JMP aab .text C:\Windows\servicing\TrustedInstaller.exe[1380] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x24dd60]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x55db78]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x57a450]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes JMP 900000d0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5b4648]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x593780]} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000021f50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefebf4750 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff00a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff030c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000da50a0 6 bytes JMP 1 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes [F6, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes [E1, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes [E7, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes [DE, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes [EA, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes [02, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes [E4, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes [D2, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes [05, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes [F3, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes [DB, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes [D5, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes [F0, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes [D8, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes [ED, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes [FC, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes [F9, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes JMP ffd10000 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x59a450]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes [F6, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes [E1, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes [E7, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes [DE, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes [EA, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes [02, 71] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes [F3, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes [DB, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes [F0, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes [D8, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes [ED, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes [FC, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes [F9, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2016] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x57db78]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x59a450]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes [F6, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes [E1, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes [E7, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes [DE, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes [EA, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes [02, 71] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes [E4, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes [D2, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes [05, 71] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes [F3, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes [DB, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes [D5, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes [F0, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes [D8, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes [ED, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes [FC, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes [F9, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1504] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes [F6, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes [E1, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes [E7, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes [DE, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes [EA, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes [02, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes [E4, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes [D2, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes [05, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes [F3, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes [DB, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes [D5, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes [F0, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes [D8, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes [ED, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes [FC, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes [F9, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes [14, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes [23, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes [20, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes [1D, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes [2F, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes [32, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes [1A, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes [26, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1248] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 0000000100060460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 0000000100060450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 0000000100060370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 0000000100060470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000001000603e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 0000000100060320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000001000603b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 0000000100060390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000001000602e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000001000602d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 0000000100060310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000001000603c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000001000603f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 0000000100060230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 0000000100060480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000001000603a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000001000602f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 0000000100060350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 0000000100060290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000001000602b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000001000603d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 0000000100060330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 0000000100060410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 0000000100060240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000001000601e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 0000000100060250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 0000000100060490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000001000604a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 0000000100060300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 0000000100060360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000001000602a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000001000602c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 0000000100060380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 0000000100060340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 0000000100060440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 0000000100060260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 0000000100060270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 0000000100060400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000001000601f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 0000000100060210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 0000000100060200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 0000000100060420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 0000000100060430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 0000000100060220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 0000000100060280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x5bdd60]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x5ddb78]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x5fa450]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0x577cac]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x55766c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x596cf4]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x634648]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x613780]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff00a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff030c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000f550a0 6 bytes {JMP QWORD [RIP+0x8af90]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[2484] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes [F6, 70] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes [E1, 70] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes [E7, 70] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes [DE, 70] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes [EA, 70] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes [02, 71] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes [F3, 70] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes [DB, 70] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes [F0, 70] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes [D8, 70] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes [ED, 70] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes [FC, 70] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes [F9, 70] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 0000000076d7103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076d71072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2552] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes [F6, 70] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes [E1, 70] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes [E7, 70] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes [DE, 70] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes [EA, 70] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes [02, 71] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes [F3, 70] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes [DB, 70] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes [F0, 70] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes [D8, 70] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes [ED, 70] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes [FC, 70] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes [F9, 70] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 0000000076d7103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076d71072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[2620] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes [EC, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes [D7, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes [DD, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes [D4, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes [E0, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes [F8, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 70f6000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 70f6000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes [DA, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes [C8, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes JMP 00000000cc0cd00d .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes [D1, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes [CB, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes [E6, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes [CE, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes [E3, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes [F2, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes [EF, 70] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes {JMP QWORD [RIP+0x718e001e]} .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes {JMP QWORD [RIP+0x7185001e]} .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes JMP 718c000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2724] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes {JMP QWORD [RIP+0x7188001e]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x55db78]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x57a450]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes JMP 5 .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5b4648]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x593780]} .text C:\Windows\system32\wbem\wmiprvse.exe[2920] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000fd50a0 6 bytes {JMP QWORD [RIP+0x35af90]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes [F0, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes [D9, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes [E1, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes [D6, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes [E4, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes [FC, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes [CA, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7100000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7100000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes [ED, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes [D3, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes [EA, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes [D0, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes [E7, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes [F6, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes [F3, 70] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes JMP 7109000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes [0E, 71] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes [1D, 71] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes {JMP QWORD [RIP+0x7105001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes [1A, 71] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes JMP 7157000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes [17, 71] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes [29, 71] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes [2C, 71] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes {JMP QWORD [RIP+0x7102001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes [14, 71] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes [20, 71] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2956] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes JMP 6f .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes JMP 2 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000010e50a0 6 bytes JMP 730009 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\Dwm.exe[3468] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes JMP 65 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\Explorer.EXE[3476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x57db78]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Windows\Explorer.EXE[3476] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd1e50a0 6 bytes JMP 9b3 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x57db78]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x59a450]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes JMP 7fe .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Windows\system32\nvvsvc.exe[3488] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000010650a0 6 bytes {JMP QWORD [RIP+0x55af90]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 79000026 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x554648]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff00a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff030c10 6 bytes JMP 1ca .text C:\Windows\system32\taskhost.exe[3520] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000022f50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x554648]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\taskeng.exe[3528] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000d850a0 6 bytes JMP 0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x57db78]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes JMP f00f00 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes JMP 0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff00a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff030c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000027050a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes JMP 274648 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2584] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x57db78]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x59a450]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes JMP 6f .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x5bdd60]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x5ddb78]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x5fa450]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0x577cac]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x55766c]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x596cf4]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x634648]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x613780]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000002dc50a0 6 bytes {JMP QWORD [RIP+0x18af90]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x5bdd60]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x5ddb78]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x5fa450]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0x577cac]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x55766c]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x596cf4]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x634648]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x613780]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076d71f0e 7 bytes JMP 000000016de73df0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076d75bad 7 bytes JMP 000000016de74100 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076d81409 7 bytes JMP 000000016de73f30 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076d8ea45 7 bytes JMP 000000016de73de0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076e18e24 7 bytes JMP 000000016de73b50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076e18ea9 5 bytes JMP 000000016de73c00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076e191ff 5 bytes JMP 000000016de73b60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c21d29 5 bytes JMP 000000016de73ae0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c21dd7 5 bytes JMP 000000016de73a90 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c22ab1 5 bytes JMP 000000016de73c10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c22d17 5 bytes JMP 000000016de73870 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759d8a29 5 bytes JMP 000000016de73350 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759e4572 5 bytes JMP 000000016de737f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000759fe567 5 bytes JMP 000000016de73860 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075a207d7 5 bytes JMP 000000016de73280 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075a37a5c 5 bytes JMP 000000016de737e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007526e96b 5 bytes JMP 000000016de733c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007526eba5 5 bytes JMP 000000016de733d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000077195ea5 5 bytes JMP 000000016de73300 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3704] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000771c9d0b 5 bytes JMP 000000016de73290 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x57db78]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x59a450]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x57db78]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x59a450]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]} .text C:\Windows\System32\igfxtray.exe[1628] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x57db78]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]} .text C:\Windows\System32\hkcmd.exe[4044] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Windows\system32\svchost.exe[3808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[3808] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[3808] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3808] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3808] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3808] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[3808] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[3808] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[3808] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[3808] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3808] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000ee50a0 6 bytes {JMP QWORD [RIP+0x8af90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 79000026 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x5bdd60]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x5ddb78]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x5fa450]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x55766c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x596cf4]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x634648]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x613780]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff00a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff030c10 6 bytes JMP 1ca .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x57db78]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x59a450]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]} .text C:\Windows\System32\igfxpers.exe[4100] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Windows\system32\conhost.exe[4108] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\conhost.exe[4108] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\conhost.exe[4108] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\conhost.exe[4108] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\conhost.exe[4108] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[4108] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\conhost.exe[4108] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\conhost.exe[4108] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\conhost.exe[4108] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x554648]} .text C:\Windows\system32\conhost.exe[4108] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes JMP 4d68636d .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x57db78]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x59a450]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Windows\system32\SearchIndexer.exe[4252] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000f250a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 0000000100070460 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 0000000100070450 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 0000000100070370 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 0000000100070470 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000001000703e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 0000000100070320 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000001000703b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 0000000100070390 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000001000702e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000001000702d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 0000000100070310 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000001000703c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000001000703f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 0000000100070230 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 0000000100070480 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000001000703a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000001000702f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 0000000100070350 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 0000000100070290 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000001000702b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000001000703d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 0000000100070330 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 0000000100070410 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 0000000100070240 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 0000000100070250 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 0000000100070490 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000001000704a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 0000000100070300 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 0000000100070360 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000001000702a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000001000702c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 0000000100070380 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 0000000100070340 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 0000000100070440 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 0000000100070260 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 0000000100070270 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 0000000100070400 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000001000701f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 0000000100070210 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 0000000100070200 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 0000000100070420 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 0000000100070430 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 0000000100070220 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes JMP 0 .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x6cdd60]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x6edb78]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x70a450]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x744648]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x723780]} .text C:\Program Files\Windows Sidebar\sidebar.exe[4516] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000027e50a0 6 bytes {JMP QWORD [RIP+0x8af90]} .text C:\Windows\system32\svchost.exe[4576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[4576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[4576] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[4576] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[4576] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\svchost.exe[4576] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\svchost.exe[4576] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\svchost.exe[4576] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[4576] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[4576] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\svchost.exe[4576] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000f550a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076d71f0e 7 bytes JMP 000000016de73df0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076d75bad 7 bytes JMP 000000016de74100 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076d81409 7 bytes JMP 000000016de73f30 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076d8ea45 7 bytes JMP 000000016de73de0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076e18e24 7 bytes JMP 000000016de73b50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076e18ea9 5 bytes JMP 000000016de73c00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076e191ff 5 bytes JMP 000000016de73b60 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c21d29 5 bytes JMP 000000016de73ae0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c21dd7 5 bytes JMP 000000016de73a90 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c22ab1 5 bytes JMP 000000016de73c10 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c22d17 5 bytes JMP 000000016de73870 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007526e96b 5 bytes JMP 000000016de733c0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007526eba5 5 bytes JMP 000000016de733d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759d8a29 5 bytes JMP 000000016de73350 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759e4572 5 bytes JMP 000000016de737f0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000759fe567 5 bytes JMP 000000016de73860 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075a207d7 5 bytes JMP 000000016de73280 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075a37a5c 5 bytes JMP 000000016de737e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007520124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000077195ea5 5 bytes JMP 000000016de73300 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000771c9d0b 5 bytes JMP 000000016de73290 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075591465 2 bytes [59, 75] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755914bb 2 bytes [59, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 0000000076d7103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076d71072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW 0000000076d71f0e 7 bytes JMP 000000016de73df0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW 0000000076d75bad 7 bytes JMP 000000016de74100 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000076d81409 7 bytes JMP 000000016de73f30 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNEL32.dll!RegDeleteValueW 0000000076d8ea45 7 bytes JMP 000000016de73de0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 0000000076e18e24 7 bytes JMP 000000016de73b50 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000076e18ea9 5 bytes JMP 000000016de73c00 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000076e191ff 5 bytes JMP 000000016de73b60 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c21d29 5 bytes JMP 000000016de73ae0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c21dd7 5 bytes JMP 000000016de73a90 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c22ab1 5 bytes JMP 000000016de73c10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c22d17 5 bytes JMP 000000016de73870 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759d8a29 5 bytes JMP 000000016de73350 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759e4572 5 bytes JMP 000000016de737f0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000759fe567 5 bytes JMP 000000016de73860 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075a207d7 5 bytes JMP 000000016de73280 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075a37a5c 5 bytes JMP 000000016de737e0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007526e96b 5 bytes JMP 000000016de733c0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007526eba5 5 bytes JMP 000000016de733d0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007520124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075591465 2 bytes [59, 75] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755914bb 2 bytes [59, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000077195ea5 5 bytes JMP 000000016de73300 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5004] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000771c9d0b 5 bytes JMP 000000016de73290 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes JMP 8d48ffff .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x55db78]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x57a450]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0x207cac]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x1e766c]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes JMP 810775c0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5b4648]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x593780]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\KERNEL32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\KERNEL32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes JMP 0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes JMP 7103000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes JMP 7103000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes JMP 7199000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076d71f0e 7 bytes JMP 000000016de73df0 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076d75bad 7 bytes JMP 000000016de74100 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076d81409 7 bytes JMP 000000016de73f30 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076d8ea45 7 bytes JMP 000000016de73de0 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076e18e24 7 bytes JMP 000000016de73b50 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076e18ea9 5 bytes JMP 000000016de73c00 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076e191ff 5 bytes JMP 000000016de73b60 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c21d29 5 bytes JMP 000000016de73ae0 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c21dd7 5 bytes JMP 000000016de73a90 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c22ab1 5 bytes JMP 000000016de73c10 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c22d17 5 bytes JMP 000000016de73870 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007520124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes JMP 7196000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes JMP 7193000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007526e96b 5 bytes JMP 000000016de733c0 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007526eba5 5 bytes JMP 000000016de733d0 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes JMP 7160000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759d8a29 5 bytes JMP 000000016de73350 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes JMP 714e000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759e4572 5 bytes JMP 000000016de737f0 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000759fe567 5 bytes JMP 000000016de73860 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075a207d7 5 bytes JMP 000000016de73280 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes JMP 7109000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075a37a5c 5 bytes JMP 000000016de737e0 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000077195ea5 5 bytes JMP 000000016de73300 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000771c9d0b 5 bytes JMP 000000016de73290 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075591465 2 bytes [59, 75] .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[5196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755914bb 2 bytes [59, 75] .text ... * 2 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes JMP 7103000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes JMP 7103000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes JMP 7199000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076d71f0e 7 bytes JMP 000000016de73df0 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076d75bad 7 bytes JMP 000000016de74100 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076d81409 7 bytes JMP 000000016de73f30 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076d8ea45 7 bytes JMP 000000016de73de0 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076e18e24 7 bytes JMP 000000016de73b50 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076e18ea9 5 bytes JMP 000000016de73c00 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076e191ff 5 bytes JMP 000000016de73b60 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c21d29 5 bytes JMP 000000016de73ae0 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c21dd7 5 bytes JMP 000000016de73a90 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c22ab1 5 bytes JMP 000000016de73c10 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c22d17 5 bytes JMP 000000016de73870 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes JMP 7160000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759d8a29 5 bytes JMP 000000016de73350 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes JMP 714e000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759e4572 5 bytes JMP 000000016de737f0 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000759fe567 5 bytes JMP 000000016de73860 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075a207d7 5 bytes JMP 000000016de73280 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes JMP 7109000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075a37a5c 5 bytes JMP 000000016de737e0 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007526e96b 5 bytes JMP 000000016de733c0 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007526eba5 5 bytes JMP 000000016de733d0 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes JMP 7196000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes JMP 7193000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007520124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000077195ea5 5 bytes JMP 000000016de73300 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000771c9d0b 5 bytes JMP 000000016de73290 .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075591465 2 bytes [59, 75] .text C:\Program Files (x86)\LockKey\LockKey.exe[5244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755914bb 2 bytes [59, 75] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes [F0, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes JMP 70dc000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes JMP 70dc000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes JMP 70e2000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes JMP 70e2000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes [D8, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes JMP 70e5000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes JMP 70e5000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes [FC, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 70fa000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 70fa000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70df000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70df000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70cc000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70cc000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7100000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7100000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes [ED, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes [D5, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d0000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d0000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes [EA, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes [D2, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes [E7, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes [F6, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes [F3, 70] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076d71f0e 7 bytes JMP 000000016de73df0 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076d75bad 7 bytes JMP 000000016de74100 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076d78791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076d81409 7 bytes JMP 000000016de73f30 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076d8ea45 7 bytes JMP 000000016de73de0 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076e18e24 7 bytes JMP 000000016de73b50 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076e18ea9 5 bytes JMP 000000016de73c00 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076e191ff 5 bytes JMP 000000016de73b60 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c21d29 5 bytes JMP 000000016de73ae0 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c21dd7 5 bytes JMP 000000016de73a90 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c22ab1 5 bytes JMP 000000016de73c10 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c22d17 5 bytes JMP 000000016de73870 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes JMP 717e000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes JMP 7178000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007526e96b 5 bytes JMP 000000016de733c0 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007526eba5 5 bytes JMP 000000016de733d0 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes JMP 715a000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759d8a29 5 bytes JMP 000000016de73350 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes JMP 7109000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes JMP 7148000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes JMP 7142000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes [0E, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes JMP 7154000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes [1D, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes {JMP QWORD [RIP+0x7105001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes JMP 711b000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes JMP 711b000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759e4572 5 bytes JMP 000000016de737f0 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes JMP 714b000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes JMP 7163000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes JMP 7145000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes [17, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000759fe567 5 bytes JMP 000000016de73860 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes JMP 7124000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes [29, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes [2C, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075a207d7 5 bytes JMP 000000016de73280 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes {JMP QWORD [RIP+0x7102001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075a37a5c 5 bytes JMP 000000016de737e0 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes [14, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes [20, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[5296] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes JMP 19 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x5bdd60]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x5ddb78]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes JMP 10000 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x55766c]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x634648]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x613780]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000049550a0 6 bytes {JMP QWORD [RIP+0x1baf90]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7100000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7100000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076d71f0e 7 bytes JMP 000000016de73df0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076d75bad 7 bytes JMP 000000016de74100 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076d81409 7 bytes JMP 000000016de73f30 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076d8ea45 7 bytes JMP 000000016de73de0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076e18e24 7 bytes JMP 000000016de73b50 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076e18ea9 5 bytes JMP 000000016de73c00 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076e191ff 5 bytes JMP 000000016de73b60 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c21d29 5 bytes JMP 000000016de73ae0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c21dd7 5 bytes JMP 000000016de73a90 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c22ab1 5 bytes JMP 000000016de73c10 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c22d17 5 bytes JMP 000000016de73870 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000077195ea5 5 bytes JMP 000000016de73300 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000771c9d0b 5 bytes JMP 000000016de73290 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes JMP 716f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes JMP 7175000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007526e96b 5 bytes JMP 000000016de733c0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007526eba5 5 bytes JMP 000000016de733d0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes JMP 715a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759d8a29 5 bytes JMP 000000016de73350 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes JMP 714e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes JMP 7109000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes JMP 7148000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes JMP 7142000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes JMP 7160000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes JMP 710f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes JMP 710f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes JMP 7154000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes JMP 7127000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes JMP 711e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes JMP 711e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes JMP 7106000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes JMP 711b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes JMP 711b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes JMP 7157000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes JMP 7151000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759e4572 5 bytes JMP 000000016de737f0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes JMP 715d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes JMP 714b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes JMP 710c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes JMP 7163000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes JMP 7136000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes JMP 713c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes JMP 7166000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes JMP 7118000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes JMP 7118000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes JMP 7133000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes JMP 7130000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000759fe567 5 bytes JMP 000000016de73860 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes JMP 7124000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes JMP 712a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes JMP 712d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes JMP 712d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes JMP 7112000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075a207d7 5 bytes JMP 000000016de73280 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes JMP 7103000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes JMP 7169000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes JMP 716c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes JMP 713f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes JMP 7139000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075a37a5c 5 bytes JMP 000000016de737e0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes JMP 7115000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes JMP 7115000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes JMP 7121000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes JMP 7121000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007520124e 6 bytes JMP 717b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075591465 2 bytes [59, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755914bb 2 bytes [59, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076d71f0e 7 bytes JMP 000000016de73df0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076d75bad 7 bytes JMP 000000016de74100 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076d81409 7 bytes JMP 000000016de73f30 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076d8ea45 7 bytes JMP 000000016de73de0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076e18e24 7 bytes JMP 000000016de73b50 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076e18ea9 5 bytes JMP 000000016de73c00 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076e191ff 5 bytes JMP 000000016de73b60 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c21d29 5 bytes JMP 000000016de73ae0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c21dd7 5 bytes JMP 000000016de73a90 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c22ab1 5 bytes JMP 000000016de73c10 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c22d17 5 bytes JMP 000000016de73870 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759d8a29 5 bytes JMP 000000016de73350 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759e4572 5 bytes JMP 000000016de737f0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000759fe567 5 bytes JMP 000000016de73860 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075a207d7 5 bytes JMP 000000016de73280 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075a37a5c 5 bytes JMP 000000016de737e0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007526e96b 5 bytes JMP 000000016de733c0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007526eba5 5 bytes JMP 000000016de733d0 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007520124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075591465 2 bytes [59, 75] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755914bb 2 bytes [59, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000077195ea5 5 bytes JMP 000000016de73300 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[5516] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000771c9d0b 5 bytes JMP 000000016de73290 .text C:\Windows\system32\wbem\unsecapp.exe[6036] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\system32\wbem\unsecapp.exe[6036] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wbem\unsecapp.exe[6036] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x24dd60]} .text C:\Windows\system32\wbem\unsecapp.exe[6036] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x55db78]} .text C:\Windows\system32\wbem\unsecapp.exe[6036] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x57a450]} .text C:\Windows\system32\wbem\unsecapp.exe[6036] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0x207cac]} .text C:\Windows\system32\wbem\unsecapp.exe[6036] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x1e766c]} .text C:\Windows\system32\wbem\unsecapp.exe[6036] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x226cf4]} .text C:\Windows\system32\wbem\unsecapp.exe[6036] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5b4648]} .text C:\Windows\system32\wbem\unsecapp.exe[6036] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x593780]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 0000000076d7103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076d71072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007520124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075591465 2 bytes [59, 75] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755914bb 2 bytes [59, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007520124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075591465 2 bytes [59, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755914bb 2 bytes [59, 75] .text ... * 2 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes JMP fff1eb34 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x59a450]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes JMP 0 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes JMP d072e800 .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000058c50a0 6 bytes {JMP QWORD [RIP+0x8af90]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007520124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075591465 2 bytes [59, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755914bb 2 bytes [59, 75] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 79000026 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x5bdd60]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x5ddb78]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x5fa450]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0x577cac]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x55766c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x634648]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x613780]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000023450a0 6 bytes JMP 9b3 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773d98e0 6 bytes {JMP QWORD [RIP+0x8cc6750]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773f0650 6 bytes {JMP QWORD [RIP+0x8c6f9e0]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007742ef8d 1 byte [62] .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007746acf0 6 bytes {JMP QWORD [RIP+0x8c15340]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x554648]} .text C:\Windows\system32\conhost.exe[6548] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613b10 6 bytes {JMP QWORD [RIP+0x8a2c520]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077641360 5 bytes JMP 00000000777b0460 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776413a0 6 bytes {JMP QWORD [RIP+0x89dec90]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776413b0 5 bytes JMP 00000000777b0450 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077641510 5 bytes JMP 00000000777b0370 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077641560 5 bytes JMP 00000000777b0470 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077641570 5 bytes JMP 00000000777b03e0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776415e0 6 bytes {JMP QWORD [RIP+0x911ea50]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641620 5 bytes JMP 00000000777b0320 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077641650 5 bytes JMP 00000000777b03b0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077641670 5 bytes JMP 00000000777b0390 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776416b0 5 bytes JMP 00000000777b02e0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776416c0 6 bytes {JMP QWORD [RIP+0x913e970]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641730 5 bytes JMP 00000000777b02d0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077641750 5 bytes JMP 00000000777b0310 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077641790 5 bytes JMP 00000000777b03c0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776417e0 5 bytes JMP 00000000777b03f0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077641800 6 bytes {JMP QWORD [RIP+0x90fe830]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077641940 5 bytes JMP 00000000777b0230 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776419f0 6 bytes {JMP QWORD [RIP+0x91ce640]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b00 5 bytes JMP 00000000777b0480 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b30 5 bytes JMP 00000000777b03a0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077641bd0 6 bytes {JMP QWORD [RIP+0x901e460]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c10 5 bytes JMP 00000000777b02f0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c20 5 bytes JMP 00000000777b0350 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641c80 5 bytes JMP 00000000777b0290 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d10 5 bytes JMP 00000000777b02b0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077641d20 6 bytes {JMP QWORD [RIP+0x915e310]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d30 5 bytes JMP 00000000777b03d0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641d40 5 bytes JMP 00000000777b0330 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641db0 5 bytes JMP 00000000777b0410 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641de0 5 bytes JMP 00000000777b0240 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776420a0 5 bytes JMP 00000000777b01e0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077642130 6 bytes {JMP QWORD [RIP+0x917df00]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077642160 5 bytes JMP 00000000777b0250 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077642190 5 bytes JMP 00000000777b0490 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776421a0 5 bytes JMP 00000000777b04a0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776421d0 5 bytes JMP 00000000777b0300 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776421e0 5 bytes JMP 00000000777b0360 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077642240 5 bytes JMP 00000000777b02a0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077642290 5 bytes JMP 00000000777b02c0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776422c0 5 bytes JMP 00000000777b0380 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776422d0 5 bytes JMP 00000000777b0340 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776425c0 5 bytes JMP 00000000777b0440 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776427c0 5 bytes JMP 00000000777b0260 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776427d0 5 bytes JMP 00000000777b0270 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776427e0 5 bytes JMP 00000000777b0400 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776429a0 5 bytes JMP 00000000777b01f0 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776429b0 5 bytes JMP 00000000777b0210 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a20 5 bytes JMP 00000000777b0200 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642a80 5 bytes JMP 00000000777b0420 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642a90 5 bytes JMP 00000000777b0430 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642aa0 5 bytes JMP 00000000777b0220 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642b80 5 bytes JMP 00000000777b0280 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd459055 3 bytes CALL 9000027 .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8522d0 6 bytes {JMP QWORD [RIP+0x55dd60]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8524b8 6 bytes {JMP QWORD [RIP+0x57db78]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe855be0 6 bytes {JMP QWORD [RIP+0x59a450]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe858384 6 bytes {JMP QWORD [RIP+0xa7cac]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8589c4 6 bytes {JMP QWORD [RIP+0x8766c]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe85933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe85b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]} .text C:\Windows\system32\wuauclt.exe[6408] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe85c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]} .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777ef9e0 3 bytes JMP 71af000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777ef9e4 2 bytes JMP 71af000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efcb0 3 bytes JMP 70f7000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777efcb4 2 bytes JMP 70f7000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777efd64 3 bytes JMP 70e2000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777efd68 2 bytes JMP 70e2000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777efdc8 3 bytes JMP 70e8000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777efdcc 2 bytes JMP 70e8000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777efec0 3 bytes JMP 70df000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777efec4 2 bytes JMP 70df000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777effa4 3 bytes JMP 70eb000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777effa8 2 bytes JMP 70eb000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777f0004 3 bytes JMP 7103000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777f0008 2 bytes JMP 7103000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777f0084 3 bytes JMP 7100000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777f0088 2 bytes JMP 7100000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777f00b4 3 bytes JMP 70e5000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777f00b8 2 bytes JMP 70e5000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777f03b8 3 bytes JMP 70d3000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777f03bc 2 bytes JMP 70d3000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777f0550 3 bytes JMP 7106000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777f0554 2 bytes JMP 7106000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777f0694 3 bytes JMP 70f4000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777f0698 2 bytes JMP 70f4000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777f088c 3 bytes JMP 70dc000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777f0890 2 bytes JMP 70dc000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777f08a4 3 bytes JMP 70d6000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777f08a8 2 bytes JMP 70d6000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777f0df4 3 bytes JMP 70f1000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777f0df8 2 bytes JMP 70f1000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777f0ed8 3 bytes JMP 70d9000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777f0edc 2 bytes JMP 70d9000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777f1be4 3 bytes JMP 70ee000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777f1be8 2 bytes JMP 70ee000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777f1cb4 3 bytes JMP 70fd000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777f1cb8 2 bytes JMP 70fd000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777f1d8c 3 bytes JMP 70fa000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777f1d90 2 bytes JMP 70fa000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811287 6 bytes JMP 71a8000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076d7103d 6 bytes JMP 719c000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076d71072 6 bytes JMP 7199000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076d71f0e 7 bytes JMP 000000016de73df0 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076d75bad 7 bytes JMP 000000016de74100 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076d81409 7 bytes JMP 000000016de73f30 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076d8ea45 7 bytes JMP 000000016de73de0 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076d9a2fd 1 byte [62] .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076d9c9b5 6 bytes JMP 7190000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076e18e24 7 bytes JMP 000000016de73b50 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076e18ea9 5 bytes JMP 000000016de73c00 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076e191ff 5 bytes JMP 000000016de73b60 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c1f784 6 bytes JMP 719f000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c21d29 5 bytes JMP 000000016de73ae0 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c21dd7 5 bytes JMP 000000016de73a90 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c22ab1 5 bytes JMP 000000016de73c10 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c22c9e 4 bytes CALL 71ac0000 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c22d17 5 bytes JMP 000000016de73870 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000759d8332 6 bytes JMP 7160000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759d8a29 5 bytes JMP 000000016de73350 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000759d8bff 6 bytes JMP 7154000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000759d90d3 6 bytes JMP 710f000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000759d9679 6 bytes JMP 714e000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000759d97d2 6 bytes JMP 7148000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759dee09 6 bytes JMP 7166000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000759defc9 3 bytes JMP 7115000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000759defcd 2 bytes JMP 7115000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000759e12a5 6 bytes JMP 715a000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759e291f 6 bytes JMP 712d000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SetParent 00000000759e2d64 3 bytes JMP 7124000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000759e2d68 2 bytes JMP 7124000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759e2da4 6 bytes JMP 710c000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000759e3698 3 bytes JMP 7121000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000759e369c 2 bytes JMP 7121000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000759e3baa 6 bytes JMP 715d000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000759e3c61 6 bytes JMP 7157000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759e4572 5 bytes JMP 000000016de737f0 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000759e6110 6 bytes JMP 7163000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000759e612e 6 bytes JMP 7151000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000759e6c30 6 bytes JMP 7112000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759e7603 6 bytes JMP 7169000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000759e7668 6 bytes JMP 713c000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000759e76e0 6 bytes JMP 7142000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000759e781f 6 bytes JMP 714b000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759e835c 6 bytes JMP 716c000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000759ec4b6 3 bytes JMP 711e000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000759ec4ba 2 bytes JMP 711e000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000759fc112 6 bytes JMP 7139000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000759fd0f5 6 bytes JMP 7136000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000759fe567 5 bytes JMP 000000016de73860 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759feb96 6 bytes JMP 712a000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000759fec68 3 bytes JMP 7130000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000759fec6c 2 bytes JMP 7130000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SendInput 00000000759fff4a 3 bytes JMP 7133000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000759fff4e 2 bytes JMP 7133000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075a19f1d 6 bytes JMP 7118000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075a207d7 5 bytes JMP 000000016de73280 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075a21497 6 bytes JMP 7109000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075a3027b 6 bytes JMP 716f000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a302bf 6 bytes JMP 7172000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075a36cfc 6 bytes JMP 7145000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075a36d5d 6 bytes JMP 713f000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075a37a5c 5 bytes JMP 000000016de737e0 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075a37dd7 3 bytes JMP 711b000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075a37ddb 2 bytes JMP 711b000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075a388eb 3 bytes JMP 7127000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075a388ef 2 bytes JMP 7127000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752558b3 6 bytes JMP 7184000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075255ea6 6 bytes JMP 717e000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075257bcc 6 bytes JMP 718d000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007525b895 6 bytes JMP 7175000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007525c332 6 bytes JMP 717b000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007525cbfb 6 bytes JMP 7187000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007525e743 6 bytes JMP 718a000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007526e96b 5 bytes JMP 000000016de733c0 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007526eba5 5 bytes JMP 000000016de733d0 .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007528480f 6 bytes JMP 7178000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075b42642 6 bytes JMP 7196000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075b45429 6 bytes JMP 7193000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007520124e 6 bytes JMP 7181000a .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075591465 2 bytes [59, 75] .text C:\Users\Ania\AppData\Local\Temp\_tc\m57g1hli.exe[6336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755914bb 2 bytes [59, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001071e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001071c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001072614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001072a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800107286c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\services.exe[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\services.exe[ntdll.dll!NtShutdownSystem] [805b0000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\services.exe[840] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\lsasrv.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\lsasrv.dll[ntdll.dll!NtShutdownSystem] [805b0000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\Secur32.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsass.exe[848] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\lsm.exe[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\lsm.exe[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\lsm.exe[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\lsm.exe[856] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[948] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1076] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[1128] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\System32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\System32\svchost.exe[1168] @ c:\windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\svchost.exe[1168] @ c:\windows\system32\sysmain.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\svchost.exe[1168] @ c:\windows\system32\wdi.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\svchost.exe[1168] @ C:\Windows\System32\wer.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[1196] @ c:\windows\system32\wdi.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\wer.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\system32\Secur32.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\System32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1196] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1232] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1232] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1232] @ c:\windows\system32\pcwum.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1232] @ c:\windows\system32\srvsvc.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1232] @ C:\Windows\system32\wer.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1232] @ c:\windows\system32\aelupsvc.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\System32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\System32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\AUDIODG.EXE[1312] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1340] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\System32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\spoolsv.exe[1776] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[1820] @ c:\windows\system32\dps.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\wdi.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1820] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1936] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Intel\iCLS Client\HeciServer.exe[1192] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2144] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[2484] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[2484] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[2484] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[2484] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[2484] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[2484] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[2484] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[2484] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[2484] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[2484] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[2484] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[2484] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[2484] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[2920] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3372] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\Dwm.exe[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\dwmcore.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\Dwm.exe[3468] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\Explorer.EXE[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\Secur32.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\System32\gameux.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\System32\wer.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\authui.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\AUDIOSES.DLL[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\Explorer.EXE[3476] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\nvvsvc.exe[3488] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskhost.exe[3520] @ C:\Windows\system32\AUDIOSES.DLL[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\taskeng.exe[3528] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\AUDIOSES.DLL[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2852] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2584] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2584] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2584] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3192] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1800] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3580] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\AUDIOSES.DLL[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4024] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\igfxtray.exe[1628] @ C:\Windows\System32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\hkcmd.exe[4044] @ C:\Windows\System32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[3808] @ C:\Windows\system32\secur32.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2472] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\System32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\System32\ntmarta.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\System32\igfxpers.exe[4100] @ C:\Windows\System32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\system32\conhost.exe[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\conhost.exe[4108] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\SearchIndexer.exe[4252] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\Secur32.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\Windows Sidebar\sidebar.exe[4516] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\svchost.exe[4576] @ C:\Windows\system32\secur32.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[5104] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\wpfgfx_v0300.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[5116] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\Secur32.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[5308] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\wbem\unsecapp.exe[6036] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\advapi32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\advapi32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\System32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\totalcmd\TOTALCMD64.EXE[6176] @ C:\Windows\system32\Secur32.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\System32\mswsock.dll[ntdll.dll!NtLoadDriver] [80640000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[6540] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\conhost.exe[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\conhost.exe[6548] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806f0000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80720000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806c0000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtTerminateThread] [80580000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80690000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [80610000] IAT C:\Windows\system32\wuauclt.exe[6408] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80045e22c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800738e2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800709a2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800738e2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{F4C20AB1-06F6-495D-A047-3C6E5B6BE949} fffffa800714f2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800738e2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{4672A216-CAB2-43FA-9CA3-0FF9369A7C1B} fffffa800714f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{53CDFC4A-5386-4ECB-956F-6A4C31A8E603} fffffa800714f2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800714f2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800738e2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{EAB649AF-BA23-4E50-9770-1EDCE7B8C375} fffffa800714f2c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [948:984] 000007fefc721558 Thread C:\Windows\system32\svchost.exe [948:996] 000007fefc68332c Thread C:\Windows\system32\svchost.exe [948:1000] 000007fefc6810b0 Thread C:\Windows\system32\svchost.exe [1076:1548] 000007fef9ba341c Thread C:\Windows\system32\svchost.exe [1076:1556] 000007fef9ba3a2c Thread C:\Windows\system32\svchost.exe [1076:1560] 000007fef9ba3768 Thread C:\Windows\system32\svchost.exe [1076:1564] 000007fef9ba5c20 Thread C:\Windows\system32\svchost.exe [1076:1684] 000007fef9ba3900 Thread C:\Windows\system32\svchost.exe [1076:1672] 000007fef8ecbd88 Thread C:\Windows\system32\svchost.exe [1076:2400] 000007fef8535170 Thread C:\Windows\system32\svchost.exe [1076:2516] 000007fef82483d8 Thread C:\Windows\system32\svchost.exe [1076:2520] 000007fef82483d8 Thread C:\Windows\system32\svchost.exe [1076:2864] 000007fef7ad3f1c Thread C:\Windows\system32\svchost.exe [1076:2876] 000007fef7a222b8 Thread C:\Windows\system32\svchost.exe [1076:2880] 000007fef7a21a38 Thread C:\Windows\system32\svchost.exe [1076:2884] 000007fef79a5388 Thread C:\Windows\system32\svchost.exe [1076:2888] 000007fef7987738 Thread C:\Windows\system32\svchost.exe [1076:2892] 000007fef7971f90 Thread C:\Windows\system32\svchost.exe [1076:4680] 000007fef8d75124 Thread C:\Windows\System32\svchost.exe [1128:1308] 000007fefab9f2f4 Thread C:\Windows\System32\svchost.exe [1128:1324] 000007fefb306204 Thread C:\Windows\System32\svchost.exe [1128:1552] 000007fef9be2070 Thread C:\Windows\System32\svchost.exe [1128:1568] 000007fef99c5428 Thread C:\Windows\System32\svchost.exe [1128:3128] 000007fef62b6b8c Thread C:\Windows\System32\svchost.exe [1128:3132] 000007fef62b1d88 Thread C:\Windows\system32\AUDIODG.EXE [1312:4068] 000000006e678ab4 Thread C:\Windows\system32\AUDIODG.EXE [1312:6608] 000000006e663e64 Thread C:\Windows\system32\AUDIODG.EXE [1312:3752] 000000006e66e030 Thread C:\Windows\system32\AUDIODG.EXE [1312:6516] 000007fefaeb2efc Thread C:\Windows\system32\AUDIODG.EXE [1312:6620] 000007fefaeb3238 Thread C:\Windows\system32\AUDIODG.EXE [1312:5780] 000007fef37a7cfc Thread C:\Windows\system32\svchost.exe [1340:3328] 000007fefa688274 Thread C:\Windows\system32\svchost.exe [1340:3444] 000007fefa688274 Thread C:\Windows\system32\svchost.exe [2484:2536] 000007fef8477130 Thread C:\Windows\system32\svchost.exe [2484:2540] 000007fef846d5c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\24fd52b2e701 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\24fd52b2e701@000272084540 0x40 0x49 0x1C 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\24fd52b2e701@6c0e0d374bd5 0x9A 0x73 0x30 0x9A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\24fd52b2e701@343111d8f328 0xCE 0xFB 0x3C 0x71 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB0 0x05 0x52 0x1D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\24fd52b2e701 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\24fd52b2e701@000272084540 0x40 0x49 0x1C 0xAC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\24fd52b2e701@6c0e0d374bd5 0x9A 0x73 0x30 0x9A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\24fd52b2e701@343111d8f328 0xCE 0xFB 0x3C 0x71 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB0 0x05 0x52 0x1D ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----