GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-30 00:06:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.03.0 465,76GB Running: yd9j96ew.exe; Driver: C:\Users\IZA\AppData\Local\Temp\uxriipow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033f8000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800033f802f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770e1360 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770e1560 8 bytes JMP 000000016fff0110 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 8 bytes JMP 000000016fff0148 .text C:\windows\system32\csrss.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770e1360 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\csrss.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770e1560 8 bytes JMP 000000016fff0110 .text C:\windows\system32\csrss.exe[628] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 8 bytes JMP 000000016fff0148 .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\services.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\services.exe[664] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes {JMP QWORD [RIP+0x9226750]} .text C:\windows\system32\services.exe[664] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076e90650 6 bytes {JMP QWORD [RIP+0x91cf9e0]} .text C:\windows\system32\services.exe[664] C:\windows\system32\kernel32.dll!CreateProcessA 0000000076f0acf0 6 bytes {JMP QWORD [RIP+0x9175340]} .text C:\windows\system32\services.exe[664] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\windows\system32\services.exe[664] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\services.exe[664] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefeb13e80 6 bytes {JMP QWORD [RIP+0x1ac1b0]} .text C:\windows\system32\services.exe[664] C:\windows\system32\SspiCli.dll!EncryptMessage 000007fefcca50a0 6 bytes JMP 9b3 .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!RegisterRawInputDevices 0000000076f96ef0 6 bytes {JMP QWORD [RIP+0x9449140]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SystemParametersInfoA 0000000076f98184 6 bytes {JMP QWORD [RIP+0x9527eac]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SetParent 0000000076f98530 6 bytes {JMP QWORD [RIP+0x9467b00]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SetWindowLongA 0000000076f99bcc 6 bytes {JMP QWORD [RIP+0x91c6464]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!PostMessageA 0000000076f9a404 6 bytes {JMP QWORD [RIP+0x9205c2c]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!EnableWindow 0000000076f9aaa0 6 bytes {JMP QWORD [RIP+0x9565590]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!MoveWindow 0000000076f9aad0 6 bytes {JMP QWORD [RIP+0x9485560]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!GetAsyncKeyState 0000000076f9c720 6 bytes {JMP QWORD [RIP+0x9423910]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!RegisterHotKey 0000000076f9cd50 6 bytes {JMP QWORD [RIP+0x95032e0]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!PostThreadMessageA 0000000076f9d2b0 6 bytes {JMP QWORD [RIP+0x9242d80]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SendMessageA 0000000076f9d338 6 bytes {JMP QWORD [RIP+0x9282cf8]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SendNotifyMessageW 0000000076f9dc40 6 bytes {JMP QWORD [RIP+0x93623f0]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SystemParametersInfoW 0000000076f9f510 6 bytes {JMP QWORD [RIP+0x9540b20]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SetWindowsHookExW 0000000076f9f874 6 bytes {JMP QWORD [RIP+0x91807bc]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SendMessageTimeoutW 0000000076f9fac0 6 bytes {JMP QWORD [RIP+0x92e0570]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!PostThreadMessageW 0000000076fa0b74 6 bytes {JMP QWORD [RIP+0x925f4bc]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SetWindowLongW 0000000076fa33b0 6 bytes {JMP QWORD [RIP+0x91dcc80]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SetWinEventHook + 1 0000000076fa4d4d 5 bytes {JMP QWORD [RIP+0x919b2e4]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!GetKeyState 0000000076fa5010 6 bytes {JMP QWORD [RIP+0x93fb020]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SendMessageCallbackW 0000000076fa5438 6 bytes {JMP QWORD [RIP+0x931abf8]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SendMessageW 0000000076fa6b50 6 bytes {JMP QWORD [RIP+0x92994e0]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!PostMessageW 0000000076fa76e4 6 bytes {JMP QWORD [RIP+0x921894c]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SendDlgItemMessageW 0000000076fadd90 6 bytes {JMP QWORD [RIP+0x93922a0]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!GetClipboardData 0000000076fae874 6 bytes {JMP QWORD [RIP+0x94d17bc]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SetClipboardViewer 0000000076faf780 6 bytes {JMP QWORD [RIP+0x94908b0]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SendNotifyMessageA 0000000076fb28e4 6 bytes {JMP QWORD [RIP+0x932d74c]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!mouse_event 0000000076fb3894 6 bytes {JMP QWORD [RIP+0x912c79c]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!GetKeyboardState 0000000076fb8a10 6 bytes {JMP QWORD [RIP+0x93c7620]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SendMessageTimeoutA 0000000076fb8be0 6 bytes {JMP QWORD [RIP+0x92a7450]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SetWindowsHookExA 0000000076fb8c20 6 bytes {JMP QWORD [RIP+0x9147410]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SendInput 0000000076fb8cd0 6 bytes {JMP QWORD [RIP+0x93a7360]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!BlockInput 0000000076fbad60 6 bytes {JMP QWORD [RIP+0x94a52d0]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!ExitWindowsEx 0000000076fe14e0 6 bytes {JMP QWORD [RIP+0x953eb50]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!keybd_event 00000000770045a4 6 bytes {JMP QWORD [RIP+0x90bba8c]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SendDlgItemMessageA 000000007700cc08 6 bytes {JMP QWORD [RIP+0x9313428]} .text C:\windows\system32\services.exe[664] C:\windows\system32\USER32.dll!SendMessageCallbackA 000000007700df18 6 bytes {JMP QWORD [RIP+0x9292118]} .text C:\windows\system32\services.exe[664] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes JMP 0 .text C:\windows\system32\services.exe[664] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 1 .text C:\windows\system32\services.exe[664] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\windows\system32\services.exe[664] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x297c98]} .text C:\windows\system32\services.exe[664] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x277658]} .text C:\windows\system32\services.exe[664] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 0 .text C:\windows\system32\services.exe[664] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 0 .text C:\windows\system32\services.exe[664] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x343750]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\lsass.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\lsass.exe[688] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\windows\system32\lsass.exe[688] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\lsass.exe[688] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\windows\system32\lsass.exe[688] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\windows\system32\lsass.exe[688] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\windows\system32\lsass.exe[688] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\system32\lsass.exe[688] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\system32\lsass.exe[688] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\windows\system32\lsass.exe[688] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 0 .text C:\windows\system32\lsass.exe[688] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\windows\system32\lsass.exe[688] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\windows\system32\lsass.exe[688] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff220c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\windows\system32\lsass.exe[688] C:\windows\system32\SspiCli.dll!EncryptMessage 0000000000d750a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\lsm.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\lsm.exe[696] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\windows\system32\lsm.exe[696] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\lsm.exe[696] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\windows\system32\lsm.exe[696] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 0 .text C:\windows\system32\lsm.exe[696] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\windows\system32\lsm.exe[696] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes JMP 0 .text C:\windows\system32\lsm.exe[696] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\system32\lsm.exe[696] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 0 .text C:\windows\system32\lsm.exe[696] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 0 .text C:\windows\system32\lsm.exe[696] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 0 .text C:\windows\system32\lsm.exe[696] C:\windows\system32\SSPICLI.DLL!EncryptMessage 0000000000d750a0 6 bytes {JMP QWORD [RIP+0xcaf90]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\svchost.exe[836] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 0 .text C:\windows\system32\svchost.exe[836] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes JMP fc187244 .text C:\windows\system32\svchost.exe[836] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefeb13e80 6 bytes {JMP QWORD [RIP+0x1ac1b0]} .text C:\windows\system32\svchost.exe[836] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2edd64]} .text C:\windows\system32\svchost.exe[836] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x30db70]} .text C:\windows\system32\svchost.exe[836] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x32a440]} .text C:\windows\system32\svchost.exe[836] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x297c98]} .text C:\windows\system32\svchost.exe[836] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x277658]} .text C:\windows\system32\svchost.exe[836] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[836] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x364638]} .text C:\windows\system32\svchost.exe[836] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x343750]} .text C:\windows\system32\svchost.exe[836] c:\windows\system32\SspiCli.dll!EncryptMessage 0000000000d950a0 6 bytes {JMP QWORD [RIP+0x17af90]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\svchost.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\svchost.exe[920] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes {JMP QWORD [RIP+0x9226750]} .text C:\windows\system32\svchost.exe[920] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076e90650 6 bytes {JMP QWORD [RIP+0x91cf9e0]} .text C:\windows\system32\svchost.exe[920] C:\windows\system32\kernel32.dll!CreateProcessA 0000000076f0acf0 6 bytes {JMP QWORD [RIP+0x9175340]} .text C:\windows\system32\svchost.exe[920] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\windows\system32\svchost.exe[920] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\svchost.exe[920] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefeb13e80 6 bytes {JMP QWORD [RIP+0x1ac1b0]} .text C:\windows\system32\svchost.exe[920] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2edd64]} .text C:\windows\system32\svchost.exe[920] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[920] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[920] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x297c98]} .text C:\windows\system32\svchost.exe[920] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x277658]} .text C:\windows\system32\svchost.exe[920] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x2b6cec]} .text C:\windows\system32\svchost.exe[920] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x364638]} .text C:\windows\system32\svchost.exe[920] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 630076 .text C:\windows\system32\svchost.exe[920] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa6f0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[920] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff220c10 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[920] C:\windows\system32\SSPICLI.DLL!EncryptMessage 0000000000d850a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\svchost.exe[420] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\windows\system32\svchost.exe[420] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\svchost.exe[420] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[420] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[420] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[420] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[420] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[420] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[420] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 2d11b0 .text C:\windows\system32\svchost.exe[420] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 1e2ee08 .text C:\windows\system32\svchost.exe[420] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\windows\system32\svchost.exe[420] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff220c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\windows\system32\svchost.exe[420] C:\windows\system32\SSPICLI.DLL!EncryptMessage 00000000010550a0 6 bytes {JMP QWORD [RIP+0x4faf90]} .text C:\windows\system32\atiesrxx.exe[576] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes {JMP QWORD [RIP+0x9226750]} .text C:\windows\system32\atiesrxx.exe[576] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076e90650 6 bytes {JMP QWORD [RIP+0x91cf9e0]} .text C:\windows\system32\atiesrxx.exe[576] C:\windows\system32\kernel32.dll!CreateProcessA 0000000076f0acf0 6 bytes {JMP QWORD [RIP+0x9175340]} .text C:\windows\system32\atiesrxx.exe[576] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\windows\system32\atiesrxx.exe[576] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\atiesrxx.exe[576] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\windows\system32\atiesrxx.exe[576] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\windows\system32\atiesrxx.exe[576] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\windows\system32\atiesrxx.exe[576] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\system32\atiesrxx.exe[576] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\system32\atiesrxx.exe[576] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\windows\system32\atiesrxx.exe[576] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x344638]} .text C:\windows\system32\atiesrxx.exe[576] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\System32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\System32\svchost.exe[768] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\windows\System32\svchost.exe[768] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\System32\svchost.exe[768] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\windows\System32\svchost.exe[768] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\windows\System32\svchost.exe[768] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\windows\System32\svchost.exe[768] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\System32\svchost.exe[768] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\System32\svchost.exe[768] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\windows\System32\svchost.exe[768] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 0 .text C:\windows\System32\svchost.exe[768] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 0 .text C:\windows\System32\svchost.exe[768] C:\windows\System32\SSPICLI.DLL!EncryptMessage 0000000000e950a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes JMP 460045 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes JMP 520043 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes JMP 199019a .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes JMP 55037a9 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes JMP 66223d8 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes JMP 18c018c .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes JMP 95bbc6a .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes JMP 18f01af .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes JMP 1950195 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes JMP 807ce51 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes JMP 103ba81 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes JMP 57004f .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes JMP 9659580 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes JMP 39c81 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes JMP a9281 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes JMP 463d0bb .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes JMP 4e4e301 .text C:\windows\System32\svchost.exe[936] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes JMP 808b318 .text C:\windows\System32\svchost.exe[936] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076e90650 6 bytes JMP 8f04308 .text C:\windows\System32\svchost.exe[936] C:\windows\system32\kernel32.dll!CreateProcessA 0000000076f0acf0 6 bytes JMP 970c2d1 .text C:\windows\System32\svchost.exe[936] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\windows\System32\svchost.exe[936] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\System32\svchost.exe[936] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\windows\System32\svchost.exe[936] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\windows\System32\svchost.exe[936] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\windows\System32\svchost.exe[936] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes JMP 0 .text C:\windows\System32\svchost.exe[936] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\System32\svchost.exe[936] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\windows\System32\svchost.exe[936] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x344638]} .text C:\windows\System32\svchost.exe[936] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\windows\System32\svchost.exe[936] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\windows\System32\svchost.exe[936] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff220c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\windows\System32\svchost.exe[936] C:\windows\System32\SSPICLI.DLL!EncryptMessage 00000000014e50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\svchost.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\svchost.exe[1064] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\windows\system32\svchost.exe[1064] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\svchost.exe[1064] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1064] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1064] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1064] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\system32\svchost.exe[1064] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\system32\svchost.exe[1064] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\windows\system32\svchost.exe[1064] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x344638]} .text C:\windows\system32\svchost.exe[1064] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\windows\system32\svchost.exe[1064] C:\windows\system32\SSPICLI.DLL!EncryptMessage 0000000000f450a0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\svchost.exe[1104] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes JMP da57001a .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076e90650 6 bytes JMP 320045 .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\kernel32.dll!CreateProcessA 0000000076f0acf0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefeb13e80 6 bytes {JMP QWORD [RIP+0x1ac1b0]} .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes JMP 70 .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 315bd0 .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x32a440]} .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x277658]} .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x364638]} .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x343750]} .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\windows\system32\svchost.exe[1104] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff220c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\windows\system32\svchost.exe[1104] c:\windows\system32\SspiCli.dll!EncryptMessage 0000000000fd50a0 6 bytes {JMP QWORD [RIP+0x54af90]} .text C:\windows\system32\svchost.exe[1196] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\windows\system32\svchost.exe[1196] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\svchost.exe[1196] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\windows\system32\svchost.exe[1196] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\windows\system32\svchost.exe[1196] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\windows\system32\svchost.exe[1196] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\system32\svchost.exe[1196] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\system32\svchost.exe[1196] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\windows\system32\svchost.exe[1196] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x344638]} .text C:\windows\system32\svchost.exe[1196] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\windows\system32\svchost.exe[1196] C:\windows\system32\SSPICLI.DLL!EncryptMessage 0000000000e950a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\windows\system32\atieclxx.exe[1288] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\atieclxx.exe[1288] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes JMP 7748 .text C:\windows\system32\atieclxx.exe[1288] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 390039 .text C:\windows\system32\atieclxx.exe[1288] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\windows\system32\atieclxx.exe[1288] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 238 .text C:\windows\system32\atieclxx.exe[1288] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x344638]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\windows\system32\atieclxx.exe[1288] C:\windows\system32\SspiCli.dll!EncryptMessage 00000000030f50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\svchost.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefeb13e80 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes JMP 1 .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x30db70]} .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x32a440]} .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x297c98]} .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x277658]} .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x2b6cec]} .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x343750]} .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff220c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\windows\system32\svchost.exe[1612] C:\windows\system32\SSPICLI.DLL!EncryptMessage 0000000000ee50a0 6 bytes {JMP QWORD [RIP+0x11af90]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\windows\System32\spoolsv.exe[1748] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\System32\spoolsv.exe[1748] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes JMP 0 .text C:\windows\System32\spoolsv.exe[1748] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 0 .text C:\windows\System32\spoolsv.exe[1748] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\windows\System32\spoolsv.exe[1748] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x394638]} .text C:\windows\System32\spoolsv.exe[1748] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 0 .text C:\windows\System32\spoolsv.exe[1748] C:\windows\System32\SSPICLI.DLL!EncryptMessage 00000000022250a0 6 bytes JMP 9b3 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes [02, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes [FC, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes [F9, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074cd103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074cd1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes [14, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes [23, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes [20, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes [1D, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes [2F, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes [32, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes [1A, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes [26, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000765e58b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\GDI32.dll!BitBlt 00000000765e5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000765e7bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\GDI32.dll!StretchBlt 00000000765eb895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\GDI32.dll!MaskBlt 00000000765ec332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\GDI32.dll!GetPixel 00000000765ecbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000765ee743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076614857 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1872] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074cd103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074cd1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1948] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 7127000a .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff220c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x33db70]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x35a440]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes JMP 0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x373750]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes {JMP QWORD [RIP+0x9226750]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076e90650 6 bytes {JMP QWORD [RIP+0x91cf9e0]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\kernel32.dll!CreateProcessA 0000000076f0acf0 6 bytes {JMP QWORD [RIP+0x9175340]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x33db70]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x35a440]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x394638]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x373750]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes {JMP QWORD [RIP+0x9226750]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076e90650 6 bytes {JMP QWORD [RIP+0x91cf9e0]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\kernel32.dll!CreateProcessA 0000000076f0acf0 6 bytes {JMP QWORD [RIP+0x9175340]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x33db70]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x35a440]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes JMP 0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes JMP 52 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x394638]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x373750]} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1152] C:\windows\system32\SspiCli.dll!EncryptMessage 00000000022b50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\windows\system32\svchost.exe[1536] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\windows\system32\svchost.exe[1536] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\svchost.exe[1536] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\windows\system32\svchost.exe[1536] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[1536] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\windows\system32\svchost.exe[1536] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\system32\svchost.exe[1536] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\system32\svchost.exe[1536] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\windows\system32\svchost.exe[1536] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x344638]} .text C:\windows\system32\svchost.exe[1536] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\windows\system32\svchost.exe[1536] C:\windows\system32\SSPICLI.DLL!EncryptMessage 0000000000d750a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes JMP 7f4b4f .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes JMP 7a444a .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes JMP 344f89 .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes JMP 451305 .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes JMP 4c0503 .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes JMP f29d55 .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes JMP d08448 .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes JMP 210609 .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes JMP 7b1700 .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes JMP 510d05 .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes JMP 4d0302 .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes JMP 943007 .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes JMP 310c10 .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes JMP 60608 .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes JMP 325ba1 .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\Dwm.exe[2544] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes JMP 274790 .text C:\windows\system32\Dwm.exe[2544] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\windows\system32\Dwm.exe[2544] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\Dwm.exe[2544] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\windows\system32\Dwm.exe[2544] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\windows\system32\Dwm.exe[2544] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\windows\system32\Dwm.exe[2544] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\system32\Dwm.exe[2544] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\system32\Dwm.exe[2544] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\windows\system32\Dwm.exe[2544] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 2f55e762 .text C:\windows\system32\Dwm.exe[2544] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 0 .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes {JMP QWORD [RIP+0x9226750]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076e90650 6 bytes {JMP QWORD [RIP+0x91cf9e0]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\kernel32.dll!CreateProcessA 0000000076f0acf0 6 bytes {JMP QWORD [RIP+0x9175340]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes JMP 0 .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 0 .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 34 .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 0 .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 0 .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 429df0 .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff220c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\windows\system32\taskhost.exe[2204] C:\windows\system32\SspiCli.dll!EncryptMessage 00000000054f50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\Explorer.EXE[1212] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes {JMP QWORD [RIP+0x9226750]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076e90650 6 bytes {JMP QWORD [RIP+0x91cf9e0]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\kernel32.dll!CreateProcessA 0000000076f0acf0 6 bytes {JMP QWORD [RIP+0x9175340]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\windows\Explorer.EXE[1212] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\Explorer.EXE[1212] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa6f0 6 bytes JMP 0 .text C:\windows\Explorer.EXE[1212] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff220c10 6 bytes JMP 0 .text C:\windows\Explorer.EXE[1212] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes JMP 0 .text C:\windows\Explorer.EXE[1212] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 0 .text C:\windows\Explorer.EXE[1212] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 78002e .text C:\windows\Explorer.EXE[1212] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 0 .text C:\windows\Explorer.EXE[1212] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP af2ae30 .text C:\windows\Explorer.EXE[1212] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 0 .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!RegisterRawInputDevices 0000000076f96ef0 6 bytes {JMP QWORD [RIP+0x9449140]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SystemParametersInfoA 0000000076f98184 6 bytes {JMP QWORD [RIP+0x9527eac]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SetParent 0000000076f98530 6 bytes {JMP QWORD [RIP+0x9467b00]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SetWindowLongA 0000000076f99bcc 6 bytes {JMP QWORD [RIP+0x91c6464]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!PostMessageA 0000000076f9a404 6 bytes {JMP QWORD [RIP+0x9205c2c]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!EnableWindow 0000000076f9aaa0 6 bytes {JMP QWORD [RIP+0x9565590]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!MoveWindow 0000000076f9aad0 6 bytes {JMP QWORD [RIP+0x9485560]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!GetAsyncKeyState 0000000076f9c720 6 bytes {JMP QWORD [RIP+0x9423910]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!RegisterHotKey 0000000076f9cd50 6 bytes {JMP QWORD [RIP+0x95032e0]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!PostThreadMessageA 0000000076f9d2b0 6 bytes {JMP QWORD [RIP+0x9242d80]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SendMessageA 0000000076f9d338 6 bytes {JMP QWORD [RIP+0x9282cf8]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SendNotifyMessageW 0000000076f9dc40 6 bytes {JMP QWORD [RIP+0x93623f0]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SystemParametersInfoW 0000000076f9f510 6 bytes {JMP QWORD [RIP+0x9540b20]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SetWindowsHookExW 0000000076f9f874 6 bytes {JMP QWORD [RIP+0x91807bc]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SendMessageTimeoutW 0000000076f9fac0 6 bytes {JMP QWORD [RIP+0x92e0570]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!PostThreadMessageW 0000000076fa0b74 6 bytes {JMP QWORD [RIP+0x925f4bc]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SetWindowLongW 0000000076fa33b0 6 bytes {JMP QWORD [RIP+0x91dcc80]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SetWinEventHook + 1 0000000076fa4d4d 5 bytes {JMP QWORD [RIP+0x919b2e4]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!GetKeyState 0000000076fa5010 6 bytes {JMP QWORD [RIP+0x93fb020]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SendMessageCallbackW 0000000076fa5438 6 bytes {JMP QWORD [RIP+0x931abf8]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SendMessageW 0000000076fa6b50 6 bytes {JMP QWORD [RIP+0x92994e0]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!PostMessageW 0000000076fa76e4 6 bytes {JMP QWORD [RIP+0x921894c]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SendDlgItemMessageW 0000000076fadd90 6 bytes {JMP QWORD [RIP+0x93922a0]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!GetClipboardData 0000000076fae874 6 bytes {JMP QWORD [RIP+0x94d17bc]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SetClipboardViewer 0000000076faf780 6 bytes {JMP QWORD [RIP+0x94908b0]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SendNotifyMessageA 0000000076fb28e4 6 bytes {JMP QWORD [RIP+0x932d74c]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!mouse_event 0000000076fb3894 6 bytes {JMP QWORD [RIP+0x912c79c]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!GetKeyboardState 0000000076fb8a10 6 bytes {JMP QWORD [RIP+0x93c7620]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SendMessageTimeoutA 0000000076fb8be0 6 bytes {JMP QWORD [RIP+0x92a7450]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SetWindowsHookExA 0000000076fb8c20 6 bytes {JMP QWORD [RIP+0x9147410]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SendInput 0000000076fb8cd0 6 bytes {JMP QWORD [RIP+0x93a7360]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!BlockInput 0000000076fbad60 6 bytes {JMP QWORD [RIP+0x94a52d0]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!ExitWindowsEx 0000000076fe14e0 6 bytes {JMP QWORD [RIP+0x953eb50]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!keybd_event 00000000770045a4 6 bytes {JMP QWORD [RIP+0x90bba8c]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SendDlgItemMessageA 000000007700cc08 6 bytes {JMP QWORD [RIP+0x9313428]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\USER32.dll!SendMessageCallbackA 000000007700df18 6 bytes {JMP QWORD [RIP+0x9292118]} .text C:\windows\Explorer.EXE[1212] C:\windows\system32\SSPICLI.DLL!EncryptMessage 000007fefcca50a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71af000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71af000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70f7000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70f7000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70e2000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70e2000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70e8000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70e8000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70df000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70df000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70eb000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 70eb000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes JMP 7103000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes JMP 7103000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 7100000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 7100000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70e5000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70e5000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70d3000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70d3000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 7106000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 7106000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70f4000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 70f4000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70dc000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70dc000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70d6000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70d6000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70f1000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70f1000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70d9000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70d9000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70ee000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 70ee000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes JMP 70fd000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes JMP 70fd000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes JMP 70fa000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes JMP 70fa000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes JMP 71a8000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074cd103d 6 bytes JMP 719c000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074cd1072 6 bytes JMP 7199000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes JMP 7190000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes JMP 719f000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes CALL 71ac0000 .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 7160000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 7154000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 710f000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 714e000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 7148000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 7166000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 7115000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 7115000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 715a000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 712d000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes JMP 7124000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes JMP 7124000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 710c000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 7121000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 7121000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 715d000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 7157000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 7163000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 7151000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 7112000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7169000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 713c000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 7142000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 714b000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 716c000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 711e000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 711e000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7139000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 7136000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 712a000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 7130000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 7130000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 7133000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 7133000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 7118000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 7109000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 716f000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7172000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 7145000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 713f000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 711b000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 711b000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 7127000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 7127000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000765e58b3 6 bytes JMP 7184000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\GDI32.dll!BitBlt 00000000765e5ea6 6 bytes JMP 717e000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000765e7bcc 6 bytes JMP 718d000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\GDI32.dll!StretchBlt 00000000765eb895 6 bytes JMP 7175000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\GDI32.dll!MaskBlt 00000000765ec332 6 bytes JMP 717b000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\GDI32.dll!GetPixel 00000000765ecbfb 6 bytes JMP 7187000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000765ee743 6 bytes JMP 718a000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076614857 6 bytes JMP 7178000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes JMP 7196000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes JMP 7193000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes JMP 7181000a .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076051465 2 bytes [05, 76] .text C:\ProgramData\DatacardService\DCSHelper.exe[1704] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760514bb 2 bytes [05, 76] .text ... * 2 .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[3176] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x344638]} .text C:\Windows\System32\hkcmd.exe[3216] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes JMP 55005c .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 7fe .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x344638]} .text C:\Windows\System32\igfxpers.exe[3252] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes {JMP QWORD [RIP+0x9226750]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076e90650 6 bytes {JMP QWORD [RIP+0x91cf9e0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\kernel32.dll!CreateProcessA 0000000076f0acf0 6 bytes {JMP QWORD [RIP+0x9175340]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x36dd64]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x38db70]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x3aa440]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x327c98]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x307658]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x346cec]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x4c4638]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x4a3750]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff220c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] C:\windows\system32\SSPICLI.DLL!EncryptMessage 00000000039550a0 6 bytes {JMP QWORD [RIP+0x18af90]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes {JMP QWORD [RIP+0x9226750]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076e90650 6 bytes {JMP QWORD [RIP+0x91cf9e0]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\system32\kernel32.dll!CreateProcessA 0000000076f0acf0 6 bytes {JMP QWORD [RIP+0x9175340]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes JMP 61 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x38db70]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x3aa440]} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes JMP 6ce9a202 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes JMP 0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP ffffffff .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 83480021 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3396] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x4a3750]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes {JMP QWORD [RIP+0x9226750]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076e90650 6 bytes {JMP QWORD [RIP+0x91cf9e0]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\system32\kernel32.dll!CreateProcessA 0000000076f0acf0 6 bytes {JMP QWORD [RIP+0x9175340]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x36dd64]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 730065 C:\Program Files (x86)\Lenovo\Energy Management\utility.exe .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 79f57cd5 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes JMP 0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes JMP 0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 593c60 C:\Program Files (x86)\Lenovo\Energy Management\utility.exe .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3404] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x4a3750]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes {JMP QWORD [RIP+0x9226750]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076e90650 6 bytes {JMP QWORD [RIP+0x91cf9e0]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\kernel32.dll!CreateProcessA 0000000076f0acf0 6 bytes {JMP QWORD [RIP+0x9175340]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x49dd64]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP e9f1c .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x4da440]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x377c98]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x357658]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x396cec]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 4f3f008f .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3568] C:\windows\system32\SspiCli.dll!EncryptMessage 0000000002c850a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE[3640] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71af000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71af000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70f7000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70f7000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70dd000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70dd000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70e8000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70e8000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70da000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70da000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70eb000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 70eb000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes JMP 7103000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes JMP 7103000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 7100000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 7100000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70e0000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70e0000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70ce000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70ce000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 7106000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 7106000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70f4000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 70f4000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70d7000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70d7000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70d1000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70d1000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70f1000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70f1000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70d4000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70d4000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70ee000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 70ee000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes JMP 70fd000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes JMP 70fd000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes JMP 70fa000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes JMP 70fa000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes JMP 71a8000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074cd103d 6 bytes JMP 719c000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074cd1072 6 bytes JMP 7199000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes JMP 7190000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes JMP 719f000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes CALL 71ac0000 .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 7160000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 7154000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 710f000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 714e000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 7148000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 7166000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 7115000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 7115000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 715a000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 712d000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes JMP 7124000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes JMP 7124000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 710c000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 7121000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 7121000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 715d000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 7157000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 7163000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 7151000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 7112000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7169000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 713c000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 7142000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 714b000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 716c000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 711e000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 711e000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7139000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 7136000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 712a000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 7130000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 7130000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 7133000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 7133000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 7118000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 7109000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 716f000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7172000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 7145000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 713f000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 711b000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 711b000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 7127000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 7127000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000765e58b3 6 bytes JMP 7184000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\GDI32.dll!BitBlt 00000000765e5ea6 6 bytes JMP 717e000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000765e7bcc 6 bytes JMP 718d000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\GDI32.dll!StretchBlt 00000000765eb895 6 bytes JMP 7175000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\GDI32.dll!MaskBlt 00000000765ec332 6 bytes JMP 717b000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\GDI32.dll!GetPixel 00000000765ecbfb 6 bytes JMP 7187000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000765ee743 6 bytes JMP 718a000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076614857 6 bytes JMP 7178000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes JMP 7196000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes JMP 7193000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes JMP 7181000a .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076051465 2 bytes [05, 76] .text C:\windows\SysWOW64\RunDll32.exe[3784] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760514bb 2 bytes [05, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000074cd103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000074cd1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000765e58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\GDI32.dll!BitBlt 00000000765e5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000765e7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\GDI32.dll!StretchBlt 00000000765eb895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\GDI32.dll!MaskBlt 00000000765ec332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\GDI32.dll!GetPixel 00000000765ecbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000765ee743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076614857 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076051465 2 bytes [05, 76] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3968] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760514bb 2 bytes [05, 76] .text ... * 2 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70ee000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70ee000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70d9000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70d9000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70df000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70df000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70d6000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70d6000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes JMP 70fa000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes JMP 70fa000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 70f7000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 70f7000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 70fd000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 70fd000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70eb000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 70eb000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70d3000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70d3000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70d0000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70d0000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes JMP 70f1000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes JMP 70f1000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074cd103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074cd1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes JMP 7178000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes JMP 7196000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes JMP 7193000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000765e58b3 6 bytes JMP 717b000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\GDI32.dll!BitBlt 00000000765e5ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000765e7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\GDI32.dll!StretchBlt 00000000765eb895 6 bytes JMP 716c000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\GDI32.dll!MaskBlt 00000000765ec332 6 bytes JMP 7172000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\GDI32.dll!GetPixel 00000000765ecbfb 6 bytes JMP 717e000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000765ee743 6 bytes JMP 7181000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076614857 6 bytes JMP 716f000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 7157000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 7145000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 7100000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076051465 2 bytes [05, 76] .text C:\Program Files (x86)\USB Camera2\VM332_STI.EXE[4012] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760514bb 2 bytes [05, 76] .text ... * 2 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70f6000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70f6000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70e7000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70e7000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70de000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70de000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70ea000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 00000000cbb6c91d .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes JMP 7102000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes JMP 7102000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 70ff000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 70ff000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70e4000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70e4000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 7105000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 7105000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70f3000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 70f3000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70db000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70db000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70f0000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70f0000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70ed000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 70ed000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes JMP 71a7000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074cd103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074cd1072 6 bytes JMP 7198000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes JMP 719e000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes CALL 71ab0000 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000765e58b3 6 bytes JMP 7183000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\GDI32.dll!BitBlt 00000000765e5ea6 6 bytes JMP 717d000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000765e7bcc 6 bytes JMP 718c000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\GDI32.dll!StretchBlt 00000000765eb895 6 bytes JMP 7174000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\GDI32.dll!MaskBlt 00000000765ec332 6 bytes JMP 717a000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\GDI32.dll!GetPixel 00000000765ecbfb 6 bytes JMP 7186000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000765ee743 6 bytes JMP 7189000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076614857 6 bytes JMP 7177000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 715f000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 7153000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 710e000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 714d000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 7147000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 7165000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 7114000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 7114000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 7159000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 712c000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes JMP 7123000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes JMP 7123000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 710b000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 7120000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 7120000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 715c000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 7156000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 7162000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 7150000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 7111000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7168000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 713b000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 7141000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 714a000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 716b000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 711d000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 711d000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7138000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 7135000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 7129000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 712f000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 712f000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 7132000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 7132000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 7117000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 7108000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 716e000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7171000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 7144000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 713e000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 711a000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 711a000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 7126000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 7126000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes JMP 7195000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes JMP 7192000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes JMP 7180000a .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076051465 2 bytes [05, 76] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[4036] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760514bb 2 bytes [05, 76] .text ... * 2 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70ed000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70ed000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70de000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70de000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 70f6000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 70f6000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70db000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70db000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70c9000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70c9000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70ea000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 00000000cbb6d00d .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70cc000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70cc000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70e7000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70e7000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70cf000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70cf000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70e4000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 70e4000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes JMP 70f3000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes JMP 70f3000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes JMP 70f0000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes JMP 70f0000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes JMP 71a7000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074cd103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074cd1072 6 bytes JMP 7198000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes JMP 719e000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes CALL 71ab0000 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076051465 2 bytes [05, 76] .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760514bb 2 bytes [05, 76] .text ... * 2 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000765e58b3 6 bytes JMP 717a000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\GDI32.dll!BitBlt 00000000765e5ea6 6 bytes JMP 7174000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000765e7bcc 6 bytes JMP 7183000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\GDI32.dll!StretchBlt 00000000765eb895 6 bytes JMP 716b000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\GDI32.dll!MaskBlt 00000000765ec332 6 bytes JMP 7171000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\GDI32.dll!GetPixel 00000000765ecbfb 6 bytes JMP 717d000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000765ee743 6 bytes JMP 7180000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076614857 6 bytes JMP 716e000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 7156000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 714a000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 7105000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 7144000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 713e000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 715c000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 710b000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 710b000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 7150000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 7123000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes JMP 711a000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes JMP 711a000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 7102000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 7117000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 7117000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 7153000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 714d000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 7159000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 7147000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 7108000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 715f000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 7132000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 7138000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 7141000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 7162000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 7114000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 7114000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 712f000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 712c000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 7120000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 7126000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 7126000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 7129000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 7129000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 710e000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 70ff000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 7165000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7168000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 713b000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 7135000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 7111000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 7111000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 711d000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 711d000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes JMP 7195000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes JMP 7192000a .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4068] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes JMP 7177000a .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3316] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3316] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3316] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3316] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3316] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3316] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes JMP 0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3316] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes JMP 0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3316] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3316] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x344638]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3316] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3316] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3316] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff220c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074cd103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074cd1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000765e58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\GDI32.dll!BitBlt 00000000765e5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000765e7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\GDI32.dll!StretchBlt 00000000765eb895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\GDI32.dll!MaskBlt 00000000765ec332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\GDI32.dll!GetPixel 00000000765ecbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000765ee743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076614857 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076051465 2 bytes [05, 76] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1248] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760514bb 2 bytes [05, 76] .text ... * 2 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70ee000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70ee000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70d9000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70d9000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70df000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70df000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70d6000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70d6000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes JMP 70fa000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes JMP 70fa000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 70f7000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 70f7000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 70fd000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 70fd000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70eb000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 70eb000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70d3000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70d3000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70d0000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70d0000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes JMP 70f1000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes JMP 70f1000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074cd103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074cd1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes JMP 7196000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes JMP 7193000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes JMP 7178000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000765e58b3 6 bytes JMP 717b000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\GDI32.dll!BitBlt 00000000765e5ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000765e7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\GDI32.dll!StretchBlt 00000000765eb895 6 bytes JMP 716c000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\GDI32.dll!MaskBlt 00000000765ec332 6 bytes JMP 7172000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\GDI32.dll!GetPixel 00000000765ecbfb 6 bytes JMP 717e000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000765ee743 6 bytes JMP 7181000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076614857 6 bytes JMP 716f000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 7157000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 7145000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 7100000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076051465 2 bytes [05, 76] .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3428] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760514bb 2 bytes [05, 76] .text ... * 2 .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\windows\system32\SearchIndexer.exe[3020] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes JMP 0 .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 61746144 .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x344638]} .text C:\Program Files\iPod\bin\iPodService.exe[2624] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4028] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000770e1430 8 bytes JMP 000000016fff00d8 .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\svchost.exe[4688] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\svchost.exe[4688] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\windows\system32\svchost.exe[4688] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\svchost.exe[4688] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\windows\system32\svchost.exe[4688] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\windows\system32\svchost.exe[4688] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\windows\system32\svchost.exe[4688] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\system32\svchost.exe[4688] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes JMP 452f .text C:\windows\system32\svchost.exe[4688] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\windows\system32\svchost.exe[4688] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x344638]} .text C:\windows\system32\svchost.exe[4688] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\windows\system32\svchost.exe[4688] C:\windows\system32\SSPICLI.DLL!EncryptMessage 0000000000f450a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\svchost.exe[4860] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\svchost.exe[4860] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\windows\system32\svchost.exe[4860] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\svchost.exe[4860] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\windows\system32\svchost.exe[4860] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\windows\system32\svchost.exe[4860] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\windows\system32\svchost.exe[4860] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\system32\svchost.exe[4860] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\system32\svchost.exe[4860] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\windows\system32\svchost.exe[4860] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[4860] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\windows\system32\svchost.exe[4860] C:\windows\system32\SSPICLI.DLL!EncryptMessage 0000000000db50a0 6 bytes {JMP QWORD [RIP+0x14af90]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\KERNEL32.dll!CreateProcessW 0000000074cd103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\KERNEL32.dll!CreateProcessA 0000000074cd1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000765e58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\GDI32.dll!BitBlt 00000000765e5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000765e7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\GDI32.dll!StretchBlt 00000000765eb895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\GDI32.dll!MaskBlt 00000000765ec332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\GDI32.dll!GetPixel 00000000765ecbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000765ee743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076614857 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076051465 2 bytes [05, 76] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4988] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760514bb 2 bytes [05, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074cd103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074cd1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000765e58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\GDI32.dll!BitBlt 00000000765e5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000765e7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\GDI32.dll!StretchBlt 00000000765eb895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\GDI32.dll!MaskBlt 00000000765ec332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\GDI32.dll!GetPixel 00000000765ecbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000765ee743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076614857 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 7159000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 715c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 7156000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076051465 2 bytes [05, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4612] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760514bb 2 bytes [05, 76] .text ... * 2 .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\system32\svchost.exe[2300] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\system32\svchost.exe[2300] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\windows\system32\svchost.exe[2300] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\system32\svchost.exe[2300] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\windows\system32\svchost.exe[2300] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[2300] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[2300] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\system32\svchost.exe[2300] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\system32\svchost.exe[2300] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\windows\system32\svchost.exe[2300] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP ffffffff .text C:\windows\system32\svchost.exe[2300] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 0 .text C:\windows\system32\svchost.exe[2300] C:\windows\system32\SSPICLI.DLL!EncryptMessage 0000000000ee50a0 6 bytes {JMP QWORD [RIP+0xbaf90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa6f0 6 bytes {JMP QWORD [RIP+0x1d5940]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff220c10 6 bytes {JMP QWORD [RIP+0x1cf420]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 7b3c2084 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\windows\system32\SspiCli.dll!EncryptMessage 00000000013b50a0 6 bytes {JMP QWORD [RIP+0x17af90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[828] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes CALL 9000027 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[828] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[828] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[828] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[828] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[828] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[828] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[828] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[828] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x344638]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[828] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71ae000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71ae000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70f3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70f3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70de000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70de000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70e4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70e4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70db000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70db000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70e7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 70e7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes JMP 70ff000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes JMP 70ff000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70cf000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70cf000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 7102000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 7102000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70f0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 70f0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70ed000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70ed000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70ea000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 00000000cbb6e55d .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes JMP 70f6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes JMP 70f6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes JMP 71a7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074cd103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074cd1072 6 bytes JMP 7198000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes JMP 718f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes JMP 719e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes CALL 71ab0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes JMP 7180000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes JMP 7195000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes JMP 7192000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 715f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 7150000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 710b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 714a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 7144000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 7165000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 7111000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 7111000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 7158000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 7129000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes JMP 7120000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes JMP 7120000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 7108000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 711d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 711d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 715b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 7155000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 7162000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 714d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 710e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7168000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 7138000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 713e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 7147000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 716b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 711a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 711a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7135000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 7132000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 7126000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 712c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 712c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 712f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 712f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 7114000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 7105000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 716e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7171000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 7141000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 713b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 7117000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 7117000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 7123000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 7123000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000765e58b3 6 bytes JMP 7183000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\GDI32.dll!BitBlt 00000000765e5ea6 6 bytes JMP 717d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000765e7bcc 6 bytes JMP 718c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\GDI32.dll!StretchBlt 00000000765eb895 6 bytes JMP 7174000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\GDI32.dll!MaskBlt 00000000765ec332 6 bytes JMP 717a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\GDI32.dll!GetPixel 00000000765ecbfb 6 bytes JMP 7186000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000765ee743 6 bytes JMP 7189000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076614857 6 bytes JMP 7177000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076051465 2 bytes [05, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4976] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760514bb 2 bytes [05, 76] .text ... * 2 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770b3b10 6 bytes {JMP QWORD [RIP+0x8f8c520]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000770e13a0 6 bytes {JMP QWORD [RIP+0x8f3ec90]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770e1570 6 bytes {JMP QWORD [RIP+0x94feac0]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000770e15e0 6 bytes {JMP QWORD [RIP+0x95dea50]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770e1620 6 bytes {JMP QWORD [RIP+0x959ea10]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000770e16c0 6 bytes {JMP QWORD [RIP+0x95fe970]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770e1750 6 bytes {JMP QWORD [RIP+0x957e8e0]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770e1790 6 bytes {JMP QWORD [RIP+0x947e8a0]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770e17e0 6 bytes {JMP QWORD [RIP+0x949e850]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000770e1800 6 bytes {JMP QWORD [RIP+0x95be830]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000770e19f0 6 bytes {JMP QWORD [RIP+0x967e640]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770e1b00 6 bytes {JMP QWORD [RIP+0x945e530]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000770e1bd0 6 bytes {JMP QWORD [RIP+0x951e460]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000770e1d20 6 bytes {JMP QWORD [RIP+0x961e310]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770e1d30 6 bytes {JMP QWORD [RIP+0x965e300]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770e20a0 6 bytes {JMP QWORD [RIP+0x953df90]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000770e2130 6 bytes {JMP QWORD [RIP+0x963df00]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770e29a0 6 bytes {JMP QWORD [RIP+0x955d690]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770e2a20 6 bytes {JMP QWORD [RIP+0x94bd610]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770e2aa0 6 bytes {JMP QWORD [RIP+0x94dd590]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\system32\KERNEL32.dll!CreateProcessAsUserW 0000000076e798e0 6 bytes {JMP QWORD [RIP+0x9226750]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\system32\KERNEL32.dll!CreateProcessW 0000000076e90650 6 bytes {JMP QWORD [RIP+0x91cf9e0]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\system32\KERNEL32.dll!CreateProcessA 0000000076f0acf0 6 bytes {JMP QWORD [RIP+0x9175340]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes {JMP QWORD [RIP+0x344638]} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5416] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4172] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4172] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4172] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4172] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4172] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4172] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4172] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes {JMP QWORD [RIP+0x257658]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4172] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes {JMP QWORD [RIP+0x296cec]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4172] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4172] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes JMP 85d488a5 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4172] C:\windows\system32\SspiCli.dll!EncryptMessage 0000000000e750a0 6 bytes JMP 57005a .text C:\windows\System32\WUDFHost.exe[5856] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf39055 3 bytes [B5, 6F, 06] .text C:\windows\System32\WUDFHost.exe[5856] C:\windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf453c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\windows\System32\WUDFHost.exe[5856] C:\windows\system32\GDI32.dll!DeleteDC 000007fefea622cc 6 bytes JMP 0 .text C:\windows\System32\WUDFHost.exe[5856] C:\windows\system32\GDI32.dll!BitBlt 000007fefea624c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\windows\System32\WUDFHost.exe[5856] C:\windows\system32\GDI32.dll!MaskBlt 000007fefea65bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\windows\System32\WUDFHost.exe[5856] C:\windows\system32\GDI32.dll!CreateDCW 000007fefea68398 6 bytes JMP 0 .text C:\windows\System32\WUDFHost.exe[5856] C:\windows\system32\GDI32.dll!CreateDCA 000007fefea689d8 6 bytes JMP 0 .text C:\windows\System32\WUDFHost.exe[5856] C:\windows\system32\GDI32.dll!GetPixel 000007fefea69344 6 bytes JMP 0 .text C:\windows\System32\WUDFHost.exe[5856] C:\windows\system32\GDI32.dll!StretchBlt 000007fefea6b9f8 6 bytes JMP 0 .text C:\windows\System32\WUDFHost.exe[5856] C:\windows\system32\GDI32.dll!PlgBlt 000007fefea6c8e0 6 bytes {JMP QWORD [RIP+0x323750]} .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007728f9e0 3 bytes JMP 71af000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtClose + 4 000000007728f9e4 2 bytes JMP 71af000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007728fcb0 3 bytes JMP 70f7000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007728fcb4 2 bytes JMP 70f7000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007728fd64 3 bytes JMP 70e2000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007728fd68 2 bytes JMP 70e2000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtOpenSection 000000007728fdc8 3 bytes JMP 70e8000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007728fdcc 2 bytes JMP 70e8000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007728fec0 3 bytes JMP 70df000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007728fec4 2 bytes JMP 70df000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtCreateSection 000000007728ffa4 3 bytes JMP 70eb000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007728ffa8 2 bytes JMP 70eb000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077290004 3 bytes JMP 7103000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077290008 2 bytes JMP 7103000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077290084 3 bytes JMP 7100000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077290088 2 bytes JMP 7100000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772900b4 3 bytes JMP 70e5000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772900b8 2 bytes JMP 70e5000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772903b8 3 bytes JMP 70d3000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772903bc 2 bytes JMP 70d3000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077290550 3 bytes JMP 7106000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077290554 2 bytes JMP 7106000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077290694 3 bytes JMP 70f4000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077290698 2 bytes JMP 70f4000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007729088c 3 bytes JMP 70dc000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077290890 2 bytes JMP 70dc000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772908a4 3 bytes JMP 70d6000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772908a8 2 bytes JMP 70d6000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077290df4 3 bytes JMP 70f1000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077290df8 2 bytes JMP 70f1000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077290ed8 3 bytes JMP 70d9000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077290edc 2 bytes JMP 70d9000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077291be4 3 bytes JMP 70ee000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077291be8 2 bytes JMP 70ee000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077291cb4 3 bytes JMP 70fd000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077291cb8 2 bytes JMP 70fd000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077291d8c 3 bytes JMP 70fa000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077291d90 2 bytes JMP 70fa000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772b1287 6 bytes JMP 71a8000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074cd103d 6 bytes JMP 719c000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074cd1072 6 bytes JMP 7199000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074cfc9b5 6 bytes JMP 7190000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f0f784 6 bytes JMP 719f000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000074f12c9e 4 bytes CALL 71ac0000 .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 7160000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 7154000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 710f000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 714e000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 7148000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 7166000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 7115000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 7115000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 715a000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 712d000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SetParent 00000000761a2d64 3 bytes JMP 7124000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SetParent + 4 00000000761a2d68 2 bytes JMP 7124000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 710c000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 7121000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 7121000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 715d000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 7157000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 7163000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 7151000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 7112000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7169000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 713c000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 7142000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 714b000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 716c000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 711e000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 711e000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7139000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 7136000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 712a000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 7130000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 7130000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 7133000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 7133000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 7118000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 7109000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 716f000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7172000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 7145000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 713f000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 711b000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 711b000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 7127000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 7127000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000765e58b3 6 bytes JMP 7184000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\GDI32.dll!BitBlt 00000000765e5ea6 6 bytes JMP 717e000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000765e7bcc 6 bytes JMP 718d000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\GDI32.dll!StretchBlt 00000000765eb895 6 bytes JMP 7175000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\GDI32.dll!MaskBlt 00000000765ec332 6 bytes JMP 717b000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\GDI32.dll!GetPixel 00000000765ecbfb 6 bytes JMP 7187000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000765ee743 6 bytes JMP 718a000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\GDI32.dll!PlgBlt 0000000076614857 6 bytes JMP 7178000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076512642 6 bytes JMP 7196000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076515429 6 bytes JMP 7193000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c8124e 6 bytes JMP 7181000a .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076051465 2 bytes [05, 76] .text C:\Users\IZA\Downloads\comodoooo\GMER\yd9j96ew.exe[5180] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760514bb 2 bytes [05, 76] .text ... * 2 ---- Processes - GMER 2.1 ---- Library c:\users\iza\appdata\local\temp\7zs61b4\hpslpsvc64.dll (*** suspicious ***) @ C:\windows\system32\svchost.exe [4860] (HP Network Devices Support/Hewlett-Packard Co.)(2013-11-20 20:43:43) 0000000001300000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fc1a13 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e599a42e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e599a42e@d45d42a24eb0 0x05 0xEB 0x19 0xFA ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fc1a13 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e599a42e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e599a42e@d45d42a24eb0 0x05 0xEB 0x19 0xFA ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----