.text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 00000000772cf90d 3 bytes [C5, BF, 09] .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 00000000772cf911 2 bytes {JMP RAX} .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile + 1 00000000772cf929 3 bytes [ED, DB, 09] .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile + 5 00000000772cf92d 2 bytes {JMP RAX} .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 3 bytes JMP 71af000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772cf9e4 2 bytes JMP 71af000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 3 bytes JMP 70bd000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000772cfb2c 2 bytes JMP 70bd000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 3 bytes JMP 70de000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772cfcb4 2 bytes JMP 70de000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772cfd64 3 bytes JMP 70c9000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772cfd68 2 bytes JMP 70c9000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 3 bytes JMP 70cf000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772cfdcc 2 bytes JMP 70cf000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772cfec0 3 bytes JMP 70c6000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772cfec4 2 bytes JMP 70c6000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772cff74 3 bytes JMP 70f6000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000772cff78 2 bytes JMP 70f6000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 3 bytes JMP 70d2000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772cffa8 2 bytes JMP 70d2000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 3 bytes JMP 70ea000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772d0008 2 bytes JMP 00000000cbbac97d .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772d0084 3 bytes JMP 70e7000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772d0088 2 bytes JMP 70e7000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 3 bytes JMP 70cc000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772d00b8 2 bytes JMP 70cc000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772d03b8 3 bytes JMP 70b7000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772d03bc 2 bytes JMP 70b7000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772d03d0 3 bytes JMP 70fc000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000772d03d4 2 bytes JMP 70fc000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d0550 3 bytes JMP 70ff000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772d0554 2 bytes JMP 70ff000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772d0694 3 bytes JMP 70db000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772d0698 2 bytes JMP 70db000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000772d06f4 3 bytes JMP 70f3000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000772d06f8 2 bytes JMP 70f3000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 3 bytes JMP 70f9000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000772d07a0 2 bytes JMP 70f9000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772d07e4 3 bytes JMP 70ed000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000772d07e8 2 bytes JMP 70ed000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772d0874 3 bytes JMP 70f0000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000772d0878 2 bytes JMP 70f0000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d088c 3 bytes JMP 70c3000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772d0890 2 bytes JMP 70c3000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 3 bytes JMP 70ba000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772d08a8 2 bytes JMP 70ba000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 00000000772d0965 3 bytes [95, C1, 09] .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 00000000772d0969 2 bytes {JMP RAX} .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 3 bytes JMP 70d8000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772d0df8 2 bytes JMP 70d8000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772d0ed8 3 bytes JMP 70c0000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772d0edc 2 bytes JMP 70c0000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 00000000772d1431 3 bytes [B8, E0, 09] .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 00000000772d1435 2 bytes {JMP RAX} .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 00000000772d1ae9 3 bytes [40, E1, 09] .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 00000000772d1aed 2 bytes {JMP RAX} .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 3 bytes JMP 70d5000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772d1be8 2 bytes JMP 70d5000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772d1cb4 3 bytes JMP 70e4000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772d1cb8 2 bytes JMP 70e4000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 00000000772d1d55 3 bytes [E6, B8, 09] .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 00000000772d1d59 2 bytes {JMP RAX} .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 00000000772d1d71 3 bytes [47, B8, 09] .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 00000000772d1d75 2 bytes {JMP RAX} .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 3 bytes JMP 70e1000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772d1d90 2 bytes JMP 70e1000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772f1287 6 bytes JMP 71a8000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076dc3bbb 3 bytes JMP 719c000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076dc3bbf 2 bytes JMP 719c000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076dc9aa4 6 bytes JMP 7184000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076dd3b62 6 bytes JMP 717b000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076ddccd1 6 bytes JMP 7187000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076e2dbde 6 bytes JMP 7181000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076e2dc81 3 bytes JMP 717e000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 0000000076e2dc85 2 bytes JMP 717e000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007689f784 6 bytes JMP 719f000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000768a2c9e 4 bytes CALL 71ac0000 .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c6124e 6 bytes JMP 718a000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 715a000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 714e000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 7108000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 7148000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 7142000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076199a56 3 bytes [48, E2, 09] .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076199a5a 2 bytes {JMP RAX} .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 7160000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 710e000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 710e000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!ShowWindow + 1 00000000761a0dfc 3 bytes [89, E2, 09] .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!ShowWindow + 5 00000000761a0e00 2 bytes {JMP RAX} .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 7154000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 7127000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SetParent + 1 00000000761a2d65 3 bytes [C9, E4, 09] .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SetParent + 5 00000000761a2d69 2 bytes {JMP RAX} .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 7105000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 711a000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 711a000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 7157000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 7151000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SetWindowPlacement + 1 00000000761a4ab7 3 bytes [40, E6, 09] .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SetWindowPlacement + 5 00000000761a4abb 2 bytes {JMP RAX} .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 715d000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 714b000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 710b000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7163000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 7136000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 713c000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 7145000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 7166000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 7117000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 7117000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7133000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 7130000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 7124000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 712a000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 712a000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 712d000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 712d000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 7111000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 7102000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 7169000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 716c000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 713f000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 7139000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000761f7d98 3 bytes [DB, E2, 09] .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000761f7d9c 2 bytes {JMP RAX} .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 7114000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 7114000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 7121000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 7121000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000760058b3 6 bytes JMP 718d000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076005ea6 6 bytes JMP 7178000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076007bcc 6 bytes JMP 7196000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007600b895 6 bytes JMP 716f000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007600c332 6 bytes JMP 7175000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007600cbfb 6 bytes JMP 7190000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007600e743 6 bytes JMP 7193000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076034857 6 bytes JMP 7172000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075e09d0b 6 bytes JMP 7199000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077281401 2 bytes JMP 76ddb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077281419 2 bytes JMP 76ddb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077281431 2 bytes JMP 76e58ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007728144a 2 bytes CALL 76db48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772814dd 2 bytes JMP 76e587a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772814f5 2 bytes JMP 76e58978 C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007728150d 2 bytes JMP 76e58698 C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077281525 2 bytes JMP 76e58a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007728153d 2 bytes JMP 76dcfca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077281555 2 bytes JMP 76dd68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007728156d 2 bytes JMP 76e58f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077281585 2 bytes JMP 76e58ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007728159d 2 bytes JMP 76e5865c C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772815b5 2 bytes JMP 76dcfd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772815cd 2 bytes JMP 76ddb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772816b2 2 bytes JMP 76e58e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772816bd 2 bytes JMP 76e585f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000074cf9708 6 bytes JMP 70b1000a .text C:\Users\nand\AppData\Roaming\EB32014F-1434737585-E311-AD99-28D2442A78C1\nsa56A3.tmpfs[3092] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000074efb901 6 bytes JMP 70b4000a .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x7e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 08] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 08, 00] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 08, 00] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 08, 00] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 08, 00] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 08, 00] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 08, 00] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 08, 00] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 08, 00] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 08, 00] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 08, 00] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 08, 00] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes JMP 7ed1 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes {JMP QWORD [RIP+0x234638]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes {JMP QWORD [RIP+0x213750]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 4c18348 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3124] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x17e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 18] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 18, 00] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 18, 00] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 18, 00] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 18, 00] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 18, 00] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 18, 00] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 18, 00] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 18, 00] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 18, 00] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 18, 00] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 18, 00] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes {JMP QWORD [RIP+0x234638]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes {JMP QWORD [RIP+0x213750]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes {JMP QWORD [RIP+0x7f712]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[3244] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 00000000772cf90d 3 bytes [C5, BF, 1A] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 00000000772cf911 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile + 1 00000000772cf929 3 bytes [ED, DB, 1A] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile + 5 00000000772cf92d 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772cf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 3 bytes JMP 70b7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000772cfb2c 2 bytes JMP 70b7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 3 bytes JMP 70d8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772cfcb4 2 bytes JMP 70d8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772cfd64 3 bytes JMP 70c3000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772cfd68 2 bytes JMP 70c3000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 3 bytes JMP 70c9000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772cfdcc 2 bytes JMP 70c9000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772cfec0 3 bytes JMP 70c0000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772cfec4 2 bytes JMP 70c0000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772cff74 3 bytes JMP 70f0000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000772cff78 2 bytes JMP 70f0000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 3 bytes JMP 70cc000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772cffa8 2 bytes JMP 70cc000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 3 bytes JMP 70e4000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772d0008 2 bytes JMP 70e4000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772d0084 3 bytes JMP 70e1000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772d0088 2 bytes JMP 70e1000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 3 bytes JMP 70c6000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772d00b8 2 bytes JMP 70c6000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772d03b8 3 bytes JMP 70b1000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772d03bc 2 bytes JMP 70b1000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772d03d0 3 bytes JMP 70f6000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000772d03d4 2 bytes JMP 70f6000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d0550 3 bytes JMP 70f9000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772d0554 2 bytes JMP 70f9000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772d0694 3 bytes JMP 70d5000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772d0698 2 bytes JMP 70d5000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000772d06f4 3 bytes JMP 70ed000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000772d06f8 2 bytes JMP 70ed000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 3 bytes JMP 70f3000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000772d07a0 2 bytes JMP 70f3000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772d07e4 3 bytes JMP 70e7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000772d07e8 2 bytes JMP 70e7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772d0874 3 bytes JMP 70ea000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000772d0878 2 bytes JMP 00000000cbbad1ed .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d088c 3 bytes JMP 70bd000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772d0890 2 bytes JMP 70bd000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 3 bytes JMP 70b4000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772d08a8 2 bytes JMP 70b4000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 00000000772d0965 3 bytes [95, C1, 1A] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 00000000772d0969 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 3 bytes JMP 70d2000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772d0df8 2 bytes JMP 70d2000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772d0ed8 3 bytes JMP 70ba000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772d0edc 2 bytes JMP 70ba000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 00000000772d1431 3 bytes [B8, E0, 1A] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 00000000772d1435 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 00000000772d1ae9 3 bytes [40, E1, 1A] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 00000000772d1aed 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 3 bytes JMP 70cf000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772d1be8 2 bytes JMP 70cf000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772d1cb4 3 bytes JMP 70de000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772d1cb8 2 bytes JMP 70de000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 00000000772d1d55 3 bytes [E6, B8, 1A] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 00000000772d1d59 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 00000000772d1d71 3 bytes [47, B8, 1A] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 00000000772d1d75 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 3 bytes JMP 70db000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772d1d90 2 bytes JMP 70db000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772f1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076dc3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076dc3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076dc9aa4 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076dd3b62 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076ddccd1 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076e2dbde 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076e2dc81 3 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 0000000076e2dc85 2 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007689f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000768a2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c6124e 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000760058b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076005ea6 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076007bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007600b895 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007600c332 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007600cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007600e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076034857 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 7102000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076199a56 3 bytes [48, E2, 1A] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076199a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 7108000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 7108000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!ShowWindow + 1 00000000761a0dfc 3 bytes [89, E2, 1A] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!ShowWindow + 5 00000000761a0e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SetParent + 1 00000000761a2d65 3 bytes [C9, E4, 1A] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SetParent + 5 00000000761a2d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 70ff000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 7114000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 7114000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SetWindowPlacement + 1 00000000761a4ab7 3 bytes [40, E6, 1A] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SetWindowPlacement + 5 00000000761a4abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 7105000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 7111000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 7111000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 710b000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 70fc000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000761f7d98 3 bytes [DB, E2, 1A] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000761f7d9c 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 710e000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 710e000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000074cf9708 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000074efb901 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075e09d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077281401 2 bytes JMP 76ddb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077281419 2 bytes JMP 76ddb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077281431 2 bytes JMP 76e58ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007728144a 2 bytes CALL 76db48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772814dd 2 bytes JMP 76e587a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772814f5 2 bytes JMP 76e58978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007728150d 2 bytes JMP 76e58698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077281525 2 bytes JMP 76e58a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007728153d 2 bytes JMP 76dcfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077281555 2 bytes JMP 76dd68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007728156d 2 bytes JMP 76e58f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077281585 2 bytes JMP 76e58ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007728159d 2 bytes JMP 76e5865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772815b5 2 bytes JMP 76dcfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772815cd 2 bytes JMP 76ddb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772816b2 2 bytes JMP 76e58e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772816bd 2 bytes JMP 76e585f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x6e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes {JMP QWORD [RIP+0x234638]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes {JMP QWORD [RIP+0x213750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 16040e1d .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes JMP 620020 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes JMP ecb9c033 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes JMP 24848b48 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes JMP f8588948 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes JMP 24448938 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes JMP 37e8d233 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3336] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000013a50a0 6 bytes JMP c2c95b5e .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x17e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 18] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 18, 00] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 18, 00] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 18, 00] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 18, 00] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 18, 00] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 18, 00] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 18, 00] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 18, 00] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 18, 00] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 18, 00] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 18, 00] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes JMP 0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes {JMP QWORD [RIP+0x213750]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes {JMP QWORD [RIP+0x7f712]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3484] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000015d50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 00000000772cf90d 3 bytes [C5, BF, 21] .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 00000000772cf911 2 bytes {JMP RAX} .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile + 1 00000000772cf929 3 bytes [ED, DB, 21] .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile + 5 00000000772cf92d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772cf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772cf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000772cfb28 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000772cfb2c 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772cfcb0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772cfcb4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772cfd64 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772cfd68 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772cfdc8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772cfdcc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772cfec0 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772cfec4 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772cff74 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000772cff78 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772cffa4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772cffa8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772d0004 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772d0008 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772d0084 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772d0088 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772d00b4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772d00b8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772d03b8 3 bytes JMP 70b2000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772d03bc 2 bytes JMP 70b2000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000772d03d0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000772d03d4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d0550 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772d0554 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772d0694 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772d0698 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000772d06f4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000772d06f8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d079c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000772d07a0 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000772d07e4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000772d07e8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772d0874 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000772d0878 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d088c 3 bytes JMP 70be000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772d0890 2 bytes JMP 70be000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772d08a4 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772d08a8 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 00000000772d0965 3 bytes [95, C1, 21] .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 00000000772d0969 2 bytes {JMP RAX} .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772d0df4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772d0df8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772d0ed8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772d0edc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 00000000772d1431 3 bytes [B8, E0, 21] .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 00000000772d1435 2 bytes {JMP RAX} .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 00000000772d1ae9 3 bytes [40, E1, 21] .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 00000000772d1aed 2 bytes {JMP RAX} .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772d1be4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772d1be8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772d1cb4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772d1cb8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 00000000772d1d55 3 bytes [E6, B8, 21] .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 00000000772d1d59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 00000000772d1d71 3 bytes [47, B8, 21] .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 00000000772d1d75 2 bytes {JMP RAX} .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772d1d8c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772d1d90 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772f1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076dc3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076dc3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076dc9aa4 6 bytes JMP 7184000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 0000000076dd3b62 6 bytes JMP 717b000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 0000000076ddccd1 6 bytes JMP 7187000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 0000000076e2dbde 6 bytes JMP 7181000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 0000000076e2dc81 3 bytes JMP 717e000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW + 4 0000000076e2dc85 2 bytes JMP 717e000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007689f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000768a2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076198332 6 bytes JMP 715a000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076198bff 6 bytes JMP 714e000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000761990d3 6 bytes JMP 7103000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076199679 6 bytes JMP 7148000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000761997d2 6 bytes JMP 7142000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076199a56 3 bytes [48, E2, 21] .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076199a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007619ee09 6 bytes JMP 7160000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007619efc9 3 bytes JMP 7109000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007619efcd 2 bytes JMP 7109000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!ShowWindow + 1 00000000761a0dfc 3 bytes [89, E2, 21] .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!ShowWindow + 5 00000000761a0e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000761a12a5 6 bytes JMP 7154000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000761a291f 6 bytes JMP 7127000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SetParent + 1 00000000761a2d65 3 bytes [C9, E4, 21] .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SetParent + 5 00000000761a2d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000761a2da4 6 bytes JMP 7100000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000761a3698 3 bytes JMP 711a000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000761a369c 2 bytes JMP 711a000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000761a3baa 6 bytes JMP 7157000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000761a3c61 6 bytes JMP 7151000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowPlacement + 1 00000000761a4ab7 3 bytes [40, E6, 21] .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowPlacement + 5 00000000761a4abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000761a6110 6 bytes JMP 715d000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000761a612e 6 bytes JMP 714b000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000761a6c30 6 bytes JMP 7106000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761a7603 6 bytes JMP 7163000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000761a7668 6 bytes JMP 7136000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000761a76e0 6 bytes JMP 713c000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000761a781f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000761a835c 6 bytes JMP 7166000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000761ac4b6 3 bytes JMP 7117000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000761ac4ba 2 bytes JMP 7117000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000761bc112 6 bytes JMP 7133000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000761bd0f5 6 bytes JMP 7130000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000761beb96 6 bytes JMP 7124000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000761bec68 3 bytes JMP 712a000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000761bec6c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SendInput 00000000761bff4a 3 bytes JMP 712d000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000761bff4e 2 bytes JMP 712d000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000761d9f1d 6 bytes JMP 7111000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000761e1497 6 bytes JMP 70fd000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!mouse_event 00000000761f027b 6 bytes JMP 7169000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!keybd_event 00000000761f02bf 6 bytes JMP 716c000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000761f6cfc 6 bytes JMP 713f000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000761f6d5d 6 bytes JMP 7139000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000761f7d98 3 bytes [DB, E2, 21] .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000761f7d9c 2 bytes {JMP RAX} .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!BlockInput 00000000761f7dd7 3 bytes JMP 7114000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000761f7ddb 2 bytes JMP 7114000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000761f88eb 3 bytes JMP 7121000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000761f88ef 2 bytes JMP 7121000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000760058b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076005ea6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076007bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007600b895 6 bytes JMP 716f000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007600c332 6 bytes JMP 7175000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007600cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007600e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076034857 6 bytes JMP 7172000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074c6124e 6 bytes JMP 718a000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075e09d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077281401 2 bytes JMP 76ddb21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077281419 2 bytes JMP 76ddb346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077281431 2 bytes JMP 76e58ea9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007728144a 2 bytes CALL 76db48ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772814dd 2 bytes JMP 76e587a2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772814f5 2 bytes JMP 76e58978 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007728150d 2 bytes JMP 76e58698 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077281525 2 bytes JMP 76e58a62 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007728153d 2 bytes JMP 76dcfca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077281555 2 bytes JMP 76dd68ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007728156d 2 bytes JMP 76e58f61 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077281585 2 bytes JMP 76e58ac2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007728159d 2 bytes JMP 76e5865c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772815b5 2 bytes JMP 76dcfd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772815cd 2 bytes JMP 76ddb2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772816b2 2 bytes JMP 76e58e24 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772816bd 2 bytes JMP 76e585f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\shell32.dll!SHFileOperationW 0000000074cf9708 6 bytes JMP 70ac000a .text C:\Program Files (x86)\Schneider Electric\MiCOM S1 Studio\Data Model Manager\DMM.WindowsService.exe[3532] C:\Windows\syswow64\shell32.dll!SHFileOperation 0000000074efb901 6 bytes JMP 70af000a .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x6e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 16040e1d .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes JMP 620020 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes JMP ecb9c033 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes JMP 24848b48 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes JMP f8588948 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes JMP 24448938 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes JMP 37e8d233 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3660] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes {JMP QWORD [RIP+0x234638]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes {JMP QWORD [RIP+0x7f712]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\system32\conhost.exe[3668] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes JMP 720065 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x7e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 08] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 08, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 08, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 08, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 08, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 08, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 08, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 08, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 08, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 08, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 08, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 08, 00] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes {JMP QWORD [RIP+0x234638]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes {JMP QWORD [RIP+0x213750]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 4c18348 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3752] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes JMP 7ed1 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 4c18348 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes JMP 4 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011550a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x7e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 08] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 08, 00] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 08, 00] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 08, 00] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 08, 00] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 08, 00] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 08, 00] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 08, 00] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 08, 00] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 08, 00] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 08, 00] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 08, 00] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes JMP 7ed1 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x5add64]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x5cdb70]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x5ea440]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes JMP 0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x547658]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x586cec]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes {JMP QWORD [RIP+0x624638]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes {JMP QWORD [RIP+0x603750]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 4c18348 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes JMP 0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3880] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000017150a0 6 bytes {JMP QWORD [RIP+0x18af90]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes JMP 0 .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes JMP ffacffba .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes {JMP QWORD [RIP+0x7f712]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes JMP 0 .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\system32\wbem\unsecapp.exe[3404] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0xfe8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 10] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 10, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 10, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 10, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 10, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 10, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 10, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 10, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 10, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 10, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 10, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 10, 00] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes {JMP QWORD [RIP+0x7f712]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[4128] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000019450a0 6 bytes JMP 0 .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes JMP 7ed1 .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 4c18348 .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes JMP 0 .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes JMP 0 .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes JMP 0 .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes JMP 0 .text C:\Windows\System32\alg.exe[4536] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x7e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 08] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 08, 00] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 08, 00] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 08, 00] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 08, 00] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 08, 00] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 08, 00] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 08, 00] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 08, 00] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 08, 00] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 08, 00] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 08, 00] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes JMP 7ed1 .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 4c18348 .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes {JMP QWORD [RIP+0x234638]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes {JMP QWORD [RIP+0x213750]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\svchost.exe[4592] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012950a0 6 bytes {JMP QWORD [RIP+0x18af90]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes JMP 7ed1 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 4c18348 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes JMP 760073 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\svchost.exe[4716] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011850a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x6e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 07] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 07, 00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes {JMP QWORD [RIP+0x234638]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes {JMP QWORD [RIP+0x213750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 16040e1d .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes JMP 620020 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes JMP ecb9c033 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes JMP 24848b48 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes JMP f8588948 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes JMP 24448938 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes JMP 37e8d233 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4900] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x7e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 08] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 08, 00] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 08, 00] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 08, 00] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 08, 00] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 08, 00] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 08, 00] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 08, 00] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 08, 00] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 08, 00] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 08, 00] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 08, 00] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes JMP 7ed1 .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 4c18348 .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes {JMP QWORD [RIP+0x234638]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes {JMP QWORD [RIP+0x213750]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\taskeng.exe[4956] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000024950a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x4e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 4 bytes [48, B8, 00, 57] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 05] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 05, 00] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 05, 00] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 05, 00] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 05, 00] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 05, 00] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 05, 00] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 05, 00] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 05, 00] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 05, 00] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 05, 00] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 05, 00] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes {JMP QWORD [RIP+0x234638]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes {JMP QWORD [RIP+0x213750]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP d6fd0000 .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes JMP 138a0000 .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes JMP 117d0000 .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes JMP 13901390 .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes JMP 5700560 .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes JMP 47f00000 .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\system32\conhost.exe[4988] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x7e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 08] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 08, 00] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 08, 00] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 08, 00] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 08, 00] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 08, 00] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 08, 00] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 08, 00] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 08, 00] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 08, 00] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 08, 00] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 08, 00] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 4c18348 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes JMP 5000000 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes JMP 12000000 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes JMP 3000000 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes JMP b000000 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\system32\Dwm.exe[5036] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x7e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes {JMP QWORD [RIP+0x953e420]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 08] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 08, 00] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 08, 00] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 08, 00] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 08, 00] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 08, 00] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 08, 00] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 08, 00] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 08, 00] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 08, 00] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 08, 00] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 08, 00] .text C:\Windows\Explorer.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes JMP 7ed1 .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes {JMP QWORD [RIP+0x234638]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes {JMP QWORD [RIP+0x213750]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 4c18348 .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefd699190 5 bytes [FF, 25, A0, 6E, D9] .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefd8b23e0 6 bytes {JMP QWORD [RIP+0xb5dc50]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\Explorer.EXE[5044] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefcbb50a0 6 bytes {JMP QWORD [RIP+0x13af90]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770f3b10 6 bytes {JMP QWORD [RIP+0x8f4c520]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 00000000771211d7 11 bytes {MOV EAX, 0x6e8c0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077121320 5 bytes [48, B8, 60, 27, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077121328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077121330 5 bytes [48, B8, 00, 57, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077121338 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077121380 5 bytes [48, B8, B0, 2B, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077121388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771213a0 6 bytes {JMP QWORD [RIP+0x8efec90]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077121430 5 bytes [48, B8, F0, 09, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077121438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077121440 5 bytes [48, B8, 60, 59, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077121448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077121470 5 bytes [48, B8, B0, 2C, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077121478 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771214d0 5 bytes [48, B8, 40, 3F, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 00000000771214d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077121500 5 bytes [48, B8, 70, 5A, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077121508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077121510 5 bytes [48, B8, 40, 06, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077121518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077121520 5 bytes [48, B8, B0, 25, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077121528 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077121530 5 bytes [48, B8, 70, 17, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077121538 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077121550 5 bytes [48, B8, 00, 19, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077121558 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077121570 5 bytes [48, B8, 30, 08, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077121578 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771215e0 5 bytes [48, B8, 80, 24, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077121610 5 bytes [48, B8, 80, 5B, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077121618 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077121620 5 bytes [48, B8, A0, 16, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077121628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077121650 5 bytes [48, B8, A0, 0C, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077121658 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077121670 5 bytes [48, B8, B0, 2D, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077121678 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 00000000771216a0 5 bytes [48, B8, 60, 0B, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 00000000771216a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771216b0 5 bytes [48, B8, 90, 4F, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 00000000771216b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771216c0 6 bytes {JMP QWORD [RIP+0x97ce970]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtContinue 00000000771216e0 5 bytes [48, B8, A0, 58, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtContinue + 8 00000000771216e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077121700 5 bytes [48, B8, F0, 1F, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077121708 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077121730 5 bytes [48, B8, 80, 4E, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077121738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077121750 5 bytes [48, B8, 40, 15, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077121758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077121780 5 bytes [48, B8, 20, 48, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077121788 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077121790 5 bytes [48, B8, 90, 1C, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077121798 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771217b0 5 bytes [48, B8, 70, 0F, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771217b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771217e0 5 bytes [48, B8, 10, 09, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 00000000771217e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077121800 5 bytes [48, B8, B0, 22, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077121808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077121870 5 bytes [48, B8, C0, 4C, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077121878 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771219f0 6 bytes {JMP QWORD [RIP+0x989e640]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077121a00 6 bytes {JMP QWORD [RIP+0x94be630]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077121b00 6 bytes {JMP QWORD [RIP+0x949e530]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077121bd0 6 bytes {JMP QWORD [RIP+0x968e460]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077121c10 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077121c80 5 bytes [48, B8, 60, 50, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077121c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077121c90 5 bytes [48, B8, F0, 53, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077121c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077121ca0 5 bytes [48, B8, A0, 4D, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077121ca8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077121cb0 6 bytes {JMP QWORD [RIP+0x958e380]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077121cd0 5 bytes [48, B8, B0, 46, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077121cd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077121ce0 5 bytes [48, B8, 70, 5C, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077121ce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077121cf0 5 bytes [48, B8, 10, 5E, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077121cf8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077121d10 5 bytes [48, B8, 10, 52, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077121d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077121d20 5 bytes [48, B8, 20, 56, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077121d28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077121d30 5 bytes [48, B8, 10, 1E, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077121d38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077121d80 5 bytes [48, B8, B0, 49, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077121d88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077121db0 5 bytes [48, B8, C0, 2A, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077121db8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077121e00 5 bytes [48, B8, C0, 26, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077121e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077121fc0 5 bytes [48, B8, B0, 30, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077121fc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077121fd0 5 bytes [48, B8, C0, 31, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077121fd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771220a0 5 bytes [48, B8, 00, 3E, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000771220a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077122130 6 bytes {JMP QWORD [RIP+0x981df00]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077122240 5 bytes [48, B8, 40, 51, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077122248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077122290 5 bytes [48, B8, 20, 53, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077122298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771222c0 5 bytes [48, B8, 30, 07, 07] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771222c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 00000000771224b0 6 bytes [48, B8, C0, 5F, 07, 00] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 00000000771224b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771225c0 6 bytes [48, B8, 30, 21, 07, 00] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 00000000771225c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000771225e0 6 bytes [48, B8, 90, 4B, 07, 00] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000771225e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771227e0 6 bytes [48, B8, A0, 1B, 07, 00] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000771227e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077122900 6 bytes [48, B8, 80, 60, 07, 00] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077122908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771229a0 6 bytes [48, B8, 30, 3D, 07, 00] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000771229a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077122a20 6 bytes {JMP QWORD [RIP+0x960d610]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077122a80 6 bytes [48, B8, E0, 1A, 07, 00] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077122a88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077122a90 6 bytes [48, B8, F0, 19, 07, 00] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077122a98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077122aa0 6 bytes [48, B8, 00, 3C, 07, 00] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077122aa8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077122b20 6 bytes [48, B8, A0, 3E, 07, 00] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077122b28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077122b80 6 bytes [48, B8, 30, 61, 07, 00] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077122b88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076fc1890 6 bytes {JMP QWORD [RIP+0x913e7a0]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fcdb80 6 bytes {JMP QWORD [RIP+0x90924b0]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007703f490 6 bytes {JMP QWORD [RIP+0x9060ba0]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007703f4c0 6 bytes {JMP QWORD [RIP+0x90a0b70]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007703f690 6 bytes {JMP QWORD [RIP+0x90409a0]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077045460 6 bytes {JMP QWORD [RIP+0x907abd0]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefced9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcee53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe4b7490 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefeec22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\GDI32.dll!BitBlt 000007fefeec24c0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefeec5bf0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefeec8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefeec89d8 6 bytes {JMP QWORD [RIP+0x157658]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\GDI32.dll!GetPixel 000007fefeec9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefeecb9f8 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefeecc8e0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000076eb1df0 6 bytes JMP 16040e1d .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076eb6ef0 6 bytes {JMP QWORD [RIP+0x9599140]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SetWindowPlacement 0000000076eb8150 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076eb8184 6 bytes {JMP QWORD [RIP+0x9687eac]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SetParent 0000000076eb8530 6 bytes JMP 620020 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076eb9bcc 6 bytes {JMP QWORD [RIP+0x9306464]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!PostMessageA 0000000076eba404 6 bytes {JMP QWORD [RIP+0x9345c2c]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!EnableWindow 0000000076ebaaa0 6 bytes {JMP QWORD [RIP+0x96c5590]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!MoveWindow 0000000076ebaad0 4 bytes [FF, 25, 60, 55] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!MoveWindow + 5 0000000076ebaad5 1 byte [09] .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076ebc720 6 bytes {JMP QWORD [RIP+0x9573910]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!DestroyWindow 0000000076ebcbf0 6 bytes JMP ecb9c033 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!DestroyWindow + 64 0000000076ebcc30 6 bytes JMP 24848b48 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076ebcd50 6 bytes {JMP QWORD [RIP+0x96632e0]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076ebd2b0 6 bytes {JMP QWORD [RIP+0x9382d80]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SendMessageA 0000000076ebd338 6 bytes {JMP QWORD [RIP+0x93c2cf8]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076ebdc40 6 bytes {JMP QWORD [RIP+0x94a23f0]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076ebf510 6 bytes {JMP QWORD [RIP+0x96a0b20]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000076ebf860 6 bytes JMP f8588948 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076ebf874 6 bytes {JMP QWORD [RIP+0x92c07bc]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076ebfac0 6 bytes {JMP QWORD [RIP+0x9420570]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076ec0b60 6 bytes JMP 24448938 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ec0b74 6 bytes {JMP QWORD [RIP+0x939f4bc]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!ShowWindow 0000000076ec1930 6 bytes JMP 37e8d233 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!ClientToScreen + 104 0000000076ec3320 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ec33b0 6 bytes {JMP QWORD [RIP+0x931cc80]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ec4d4d 5 bytes {JMP QWORD [RIP+0x92db2e4]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SetWinEventHook + 212 0000000076ec4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ec5010 6 bytes {JMP QWORD [RIP+0x954b020]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ec5438 6 bytes {JMP QWORD [RIP+0x945abf8]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076ec6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ec6b50 6 bytes {JMP QWORD [RIP+0x93d94e0]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076ec76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ec76e4 6 bytes {JMP QWORD [RIP+0x935894c]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076ecdd90 6 bytes {JMP QWORD [RIP+0x94d22a0]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076ece874 6 bytes {JMP QWORD [RIP+0x96317bc]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076ecf780 6 bytes {JMP QWORD [RIP+0x95f08b0]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076ed28e4 6 bytes {JMP QWORD [RIP+0x946d74c]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!mouse_event 0000000076ed3894 6 bytes {JMP QWORD [RIP+0x926c79c]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076ed8a10 6 bytes {JMP QWORD [RIP+0x9517620]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076ed8be0 6 bytes {JMP QWORD [RIP+0x93e7450]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076ed8c20 6 bytes {JMP QWORD [RIP+0x9287410]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SendInput 0000000076ed8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!ShowWindowAsync 0000000076ed96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!BlockInput 0000000076edad60 6 bytes {JMP QWORD [RIP+0x96052d0]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f014e0 6 bytes {JMP QWORD [RIP+0x969eb50]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!keybd_event 0000000076f245a4 6 bytes {JMP QWORD [RIP+0x91fba8c]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f2cc08 6 bytes {JMP QWORD [RIP+0x9453428]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f2df18 6 bytes {JMP QWORD [RIP+0x93d2118]} .text C:\Windows\system32\taskhost.exe[4820] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000032d50a0 6 bytes {JMP QWORD [RIP+0x44af90]}