GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-08 19:01:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HM320HJ rev.2AK10001 298,09GB Running: gmer.exe; Driver: C:\Users\podst\AppData\Local\Temp\pwloypoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a1dc60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a1de60 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a1dc60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a1de60 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\services.exe[580] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefea83440 6 bytes {JMP QWORD [RIP+0x10cbf0]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000777b6ef0 6 bytes {JMP QWORD [RIP+0x8c89140]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000777b8184 6 bytes {JMP QWORD [RIP+0x8d67eac]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetParent 00000000777b8530 6 bytes {JMP QWORD [RIP+0x8ca7b00]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000777b9bcc 6 bytes {JMP QWORD [RIP+0x8a06464]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!PostMessageA 00000000777ba404 6 bytes {JMP QWORD [RIP+0x8a45c2c]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!EnableWindow 00000000777baaa0 6 bytes {JMP QWORD [RIP+0x8da5590]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!MoveWindow 00000000777baad0 6 bytes {JMP QWORD [RIP+0x8cc5560]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000777bc720 6 bytes {JMP QWORD [RIP+0x8c63910]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000777bcd50 6 bytes {JMP QWORD [RIP+0x8d432e0]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000777bd2b0 6 bytes {JMP QWORD [RIP+0x8a82d80]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendMessageA 00000000777bd338 6 bytes {JMP QWORD [RIP+0x8ac2cf8]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000777bdc40 6 bytes {JMP QWORD [RIP+0x8ba23f0]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000777bf510 6 bytes {JMP QWORD [RIP+0x8d80b20]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000777bf874 6 bytes {JMP QWORD [RIP+0x89c07bc]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000777bfac0 6 bytes {JMP QWORD [RIP+0x8b20570]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000777c0b74 6 bytes {JMP QWORD [RIP+0x8a9f4bc]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000777c33b0 6 bytes {JMP QWORD [RIP+0x8a1cc80]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000777c4d4d 5 bytes {JMP QWORD [RIP+0x89db2e4]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!GetKeyState 00000000777c5010 6 bytes {JMP QWORD [RIP+0x8c3b020]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000777c5438 6 bytes {JMP QWORD [RIP+0x8b5abf8]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendMessageW 00000000777c6b50 6 bytes {JMP QWORD [RIP+0x8ad94e0]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!PostMessageW 00000000777c76e4 6 bytes {JMP QWORD [RIP+0x8a5894c]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000777cdd90 6 bytes {JMP QWORD [RIP+0x8bd22a0]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!GetClipboardData 00000000777ce874 6 bytes {JMP QWORD [RIP+0x8d117bc]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000777cf780 6 bytes {JMP QWORD [RIP+0x8cd08b0]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000777d28e4 6 bytes {JMP QWORD [RIP+0x8b6d74c]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!mouse_event 00000000777d3894 6 bytes {JMP QWORD [RIP+0x896c79c]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000777d8a10 6 bytes {JMP QWORD [RIP+0x8c07620]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000777d8be0 6 bytes {JMP QWORD [RIP+0x8ae7450]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000777d8c20 6 bytes {JMP QWORD [RIP+0x8987410]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendInput 00000000777d8cd0 6 bytes {JMP QWORD [RIP+0x8be7360]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!BlockInput 00000000777dad60 6 bytes {JMP QWORD [RIP+0x8ce52d0]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000778014e0 6 bytes {JMP QWORD [RIP+0x8d7eb50]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!keybd_event 00000000778245a4 6 bytes {JMP QWORD [RIP+0x88fba8c]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007782cc08 6 bytes {JMP QWORD [RIP+0x8b53428]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007782df18 6 bytes {JMP QWORD [RIP+0x8ad2118]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes JMP 620065 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefea83440 6 bytes {JMP QWORD [RIP+0x10cbf0]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes JMP 0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a1dd30 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 8 bytes JMP 000000016fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 2000000 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes JMP 0 .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0x287c98]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x267674]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0x2a6d10]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x344648]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 0 .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes JMP 208b88 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes JMP 6f2d .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 6e0069 .text C:\Windows\system32\svchost.exe[824] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes JMP 720074 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes JMP 340036 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes JMP 52b82b20 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes JMP 630053 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes JMP 2d004500 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes JMP 2a2a2a2a .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes JMP 300030 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes JMP 4d0022 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes JMP 680063 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes JMP 540079 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefea83440 6 bytes JMP 10000 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes JMP 4400431 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 2000000 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefdce9190 5 bytes JMP 50734900 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefdf023e0 6 bytes {JMP QWORD [RIP+0xcadc50]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 2000000 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes JMP 0 .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0x2cdd64]} .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x2edb70]} .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes JMP 0 .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes JMP 69006e .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x267674]} .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0x2a6d10]} .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes JMP 0 .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 0 .text C:\Windows\system32\Hpservice.exe[1244] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes JMP 690074 .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x30a440]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x344648]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x323740]} .text C:\Windows\system32\atieclxx.exe[1340] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0x2ddd64]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x2fdb70]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes JMP 14 .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0x297c98]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x277674]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0x2b6d10]} .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1504] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefea83440 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes JMP 21e100 .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1536] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Windows\System32\svchost.exe[1624] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 2000000 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes JMP 3 .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077bcfa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077bcfa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077bcfb74 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077bcfb78 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bcfcfc 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bcfd00 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bcfdb0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bcfdb4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bcfe14 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bcfe18 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bcff0c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bcff10 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077bcffc0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077bcffc4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077bcfff0 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077bcfff4 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bd0050 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bd0054 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bd00d0 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bd00d4 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bd0100 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bd0104 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bd0404 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bd0408 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077bd041c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077bd0420 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bd059c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bd05a0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bd06e0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bd06e4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077bd0740 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077bd0744 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bd07e8 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077bd07ec 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077bd0830 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077bd0834 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bd08c0 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077bd08c4 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bd08d8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bd08dc 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bd08f0 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bd08f4 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bd0e40 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bd0e44 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bd0f24 3 bytes JMP 70be000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bd0f28 2 bytes JMP 70be000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bd1c30 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bd1c34 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bd1d00 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bd1d04 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bd1dd8 3 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bd1ddc 2 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bf3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000770d3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000770d3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000770d9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000770e3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000770eccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007713dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007713dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000759af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000759b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759258b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075925ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075927ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007592b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007592ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007592cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007592ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075954969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a68332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a68bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a690d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a69679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a697d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a6ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a6efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a6efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a712a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a7291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a72d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a72d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a72da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a73698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a7369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a73baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a73c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a76110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a7612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a76c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a77603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a77668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a776e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a7781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a7835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a7c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a7c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a8c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a8d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a8eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a8ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a8ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a8ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a8ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076aa9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076ab1497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ac027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ac02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ac6cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ac6d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ac7dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076ac7ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ac88eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076ac88ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077609d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075cd9708 6 bytes JMP 7178000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075edb901 6 bytes JMP 717b000a .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075c21401 2 bytes JMP 770eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075c21419 2 bytes JMP 770eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075c21431 2 bytes JMP 77168f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075c2144a 2 bytes CALL 770c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075c214dd 2 bytes JMP 77168822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075c214f5 2 bytes JMP 771689f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075c2150d 2 bytes JMP 77168718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075c21525 2 bytes JMP 77168ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075c2153d 2 bytes JMP 770dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075c21555 2 bytes JMP 770e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075c2156d 2 bytes JMP 77168fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075c21585 2 bytes JMP 77168b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075c2159d 2 bytes JMP 771686dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075c215b5 2 bytes JMP 770dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075c215cd 2 bytes JMP 770eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075c216b2 2 bytes JMP 77168ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075c216bd 2 bytes JMP 77168671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077bcfa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077bcfa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077bcfb74 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077bcfb78 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bcfcfc 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bcfd00 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bcfdb0 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bcfdb4 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bcfe14 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bcfe18 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bcff0c 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bcff10 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077bcffc0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077bcffc4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077bcfff0 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077bcfff4 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bd0050 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bd0054 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bd00d0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bd00d4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bd0100 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bd0104 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bd0404 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bd0408 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077bd041c 3 bytes JMP 7100000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077bd0420 2 bytes JMP 7100000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bd059c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bd05a0 2 bytes JMP 7103000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bd06e0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bd06e4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077bd0740 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077bd0744 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bd07e8 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077bd07ec 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077bd0830 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077bd0834 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bd08c0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077bd08c4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bd08d8 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bd08dc 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bd08f0 3 bytes JMP 70be000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bd08f4 2 bytes JMP 70be000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bd0e40 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bd0e44 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bd0f24 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bd0f28 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bd1c30 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bd1c34 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bd1d00 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bd1d04 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bd1dd8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bd1ddc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bf3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000770d3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000770d3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000770d9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000770e3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000770eccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007713dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007713dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000759af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000759b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a68332 6 bytes JMP 715d000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a68bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a690d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a69679 6 bytes JMP 714b000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a697d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a6ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a6efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a6efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a712a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a7291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a72d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a72d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a72da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a73698 3 bytes JMP 711e000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a7369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a73baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a73c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a76110 6 bytes JMP 7160000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a7612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a76c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a77603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a77668 6 bytes JMP 7139000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a776e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a7781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a7835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a7c4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a7c4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a8c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a8d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a8eb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a8ec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a8ec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a8ff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a8ff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076aa9f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076ab1497 6 bytes JMP 7106000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ac027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ac02bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ac6cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ac6d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ac7dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076ac7ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ac88eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076ac88ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759258b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075925ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075927ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007592b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007592ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007592cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007592ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075954969 6 bytes JMP 7175000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077609d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075c21401 2 bytes JMP 770eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075c21419 2 bytes JMP 770eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075c21431 2 bytes JMP 77168f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075c2144a 2 bytes CALL 770c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075c214dd 2 bytes JMP 77168822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075c214f5 2 bytes JMP 771689f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075c2150d 2 bytes JMP 77168718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075c21525 2 bytes JMP 77168ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075c2153d 2 bytes JMP 770dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075c21555 2 bytes JMP 770e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075c2156d 2 bytes JMP 77168fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075c21585 2 bytes JMP 77168b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075c2159d 2 bytes JMP 771686dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075c215b5 2 bytes JMP 770dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075c215cd 2 bytes JMP 770eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075c216b2 2 bytes JMP 77168ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075c216bd 2 bytes JMP 77168671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes JMP 37343841 .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\wbem\unsecapp.exe[2100] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x153740]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x13a440]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xb7c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x97674]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xd6d10]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x153740]} .text C:\Windows\system32\wbem\wmiprvse.exe[2256] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes JMP 0 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077bcfa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077bcfa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077bcfb74 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077bcfb78 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bcfcfc 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bcfd00 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bcfdb0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bcfdb4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bcfe14 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bcfe18 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bcff0c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bcff10 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077bcffc0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077bcffc4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077bcfff0 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077bcfff4 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bd0050 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bd0054 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bd00d0 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bd00d4 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bd0100 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bd0104 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bd0404 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bd0408 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077bd041c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077bd0420 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bd059c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bd05a0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bd06e0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bd06e4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077bd0740 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077bd0744 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bd07e8 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077bd07ec 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077bd0830 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077bd0834 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bd08c0 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077bd08c4 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bd08d8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bd08dc 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bd08f0 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bd08f4 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bd0e40 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bd0e44 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bd0f24 3 bytes JMP 70be000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bd0f28 2 bytes JMP 70be000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bd1c30 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bd1c34 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bd1d00 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bd1d04 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bd1dd8 3 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bd1ddc 2 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bf3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000770d3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000770d3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000770d9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000770e3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000770eccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007713dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007713dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000759af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000759b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759258b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075925ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075927ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007592b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007592ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007592cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007592ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075954969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a68332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a68bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a690d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a69679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a697d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a6ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a6efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a6efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a712a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a7291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a72d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a72d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a72da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a73698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a7369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a73baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a73c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a76110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a7612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a76c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a77603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a77668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a776e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a7781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a7835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a7c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a7c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a8c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a8d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a8eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a8ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a8ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a8ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a8ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076aa9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076ab1497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ac027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ac02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ac6cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ac6d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ac7dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076ac7ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ac88eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076ac88ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077609d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075cd9708 6 bytes JMP 7178000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075edb901 6 bytes JMP 717b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075c21401 2 bytes JMP 770eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075c21419 2 bytes JMP 770eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075c21431 2 bytes JMP 77168f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075c2144a 2 bytes CALL 770c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075c214dd 2 bytes JMP 77168822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075c214f5 2 bytes JMP 771689f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075c2150d 2 bytes JMP 77168718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075c21525 2 bytes JMP 77168ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075c2153d 2 bytes JMP 770dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075c21555 2 bytes JMP 770e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075c2156d 2 bytes JMP 77168fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075c21585 2 bytes JMP 77168b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075c2159d 2 bytes JMP 771686dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075c215b5 2 bytes JMP 770dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075c215cd 2 bytes JMP 770eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075c216b2 2 bytes JMP 77168ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2664] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075c216bd 2 bytes JMP 77168671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 2000000 .text C:\Windows\system32\svchost.exe[2856] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Windows\System32\svchost.exe[2888] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 2a0000 .text C:\Windows\system32\svchost.exe[2940] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL 9b6 .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\taskhost.exe[2824] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP ed57ccee .text C:\Windows\system32\taskeng.exe[3096] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Windows\system32\Dwm.exe[3124] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL 67006f .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes JMP 7250202c .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes JMP eebeef00 .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0x287c98]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x267674]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 61007400 .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefdce9190 5 bytes [FF, 25, A0, 6E, EC] .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefdf023e0 6 bytes {JMP QWORD [RIP+0xc8dc50]} .text C:\Windows\Explorer.EXE[3268] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Program Files\McAfee Security Scan\3.11.266\SSScheduler.exe[4040] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\KERNEL32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL b03 .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes JMP 3fc1d0 .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[4084] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077bcfa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077bcfa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077bcfb74 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077bcfb78 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bcfcfc 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bcfd00 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bcfdb0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bcfdb4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bcfe14 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bcfe18 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bcff0c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bcff10 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077bcffc0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077bcffc4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077bcfff0 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077bcfff4 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bd0050 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bd0054 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bd00d0 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bd00d4 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bd0100 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bd0104 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bd0404 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bd0408 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077bd041c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077bd0420 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bd059c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bd05a0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bd06e0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bd06e4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077bd0740 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077bd0744 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bd07e8 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077bd07ec 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077bd0830 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077bd0834 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bd08c0 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077bd08c4 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bd08d8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bd08dc 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bd08f0 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bd08f4 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bd0e40 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bd0e44 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bd0f24 3 bytes JMP 70be000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bd0f28 2 bytes JMP 70be000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bd1c30 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bd1c34 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bd1d00 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bd1d04 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bd1dd8 3 bytes JMP 70df000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bd1ddc 2 bytes JMP 70df000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bf3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000770d3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000770d3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000770d9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000770e3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000770eccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007713dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007713dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000759af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000759b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a68332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a68bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a690d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a69679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a697d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a6ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a6efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a6efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a712a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a7291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a72d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a72d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a72da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a73698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a7369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a73baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a73c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a76110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a7612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a76c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a77603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a77668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a776e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a7781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a7835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a7c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a7c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a8c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a8d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a8eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a8ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a8ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a8ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a8ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076aa9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076ab1497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ac027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ac02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ac6cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ac6d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ac7dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076ac7ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ac88eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076ac88ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759258b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075925ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075927ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007592b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007592ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007592cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007592ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075954969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075cd9708 6 bytes JMP 7178000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075edb901 6 bytes JMP 717b000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077609d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075c21401 2 bytes JMP 770eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075c21419 2 bytes JMP 770eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075c21431 2 bytes JMP 77168f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075c2144a 2 bytes CALL 770c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075c214dd 2 bytes JMP 77168822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075c214f5 2 bytes JMP 771689f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075c2150d 2 bytes JMP 77168718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075c21525 2 bytes JMP 77168ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075c2153d 2 bytes JMP 770dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075c21555 2 bytes JMP 770e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075c2156d 2 bytes JMP 77168fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075c21585 2 bytes JMP 77168b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075c2159d 2 bytes JMP 771686dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075c215b5 2 bytes JMP 770dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075c215cd 2 bytes JMP 770eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075c216b2 2 bytes JMP 77168ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075c216bd 2 bytes JMP 77168671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077bcfa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077bcfa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077bcfb74 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077bcfb78 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bcfcfc 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bcfd00 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bcfdb0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bcfdb4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bcfe14 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bcfe18 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bcff0c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bcff10 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077bcffc0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077bcffc4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077bcfff0 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077bcfff4 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bd0050 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bd0054 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bd00d0 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bd00d4 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bd0100 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bd0104 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bd0404 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bd0408 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077bd041c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077bd0420 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bd059c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bd05a0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bd06e0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bd06e4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077bd0740 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077bd0744 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bd07e8 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077bd07ec 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077bd0830 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077bd0834 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bd08c0 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077bd08c4 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bd08d8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bd08dc 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bd08f0 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bd08f4 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bd0e40 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bd0e44 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bd0f24 3 bytes JMP 70be000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bd0f28 2 bytes JMP 70be000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bd1c30 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bd1c34 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bd1d00 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bd1d04 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bd1dd8 3 bytes JMP 70df000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bd1ddc 2 bytes JMP 70df000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bf3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000770d3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000770d3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000770d9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000770e3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000770eccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007713dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007713dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000759af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000759b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SetWindowLongW 0000000076a68332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!PostThreadMessageW 0000000076a68bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SystemParametersInfoW 0000000076a690d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SendMessageW 0000000076a69679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutW 0000000076a697d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000076a6ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!RegisterHotKey 0000000076a6efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!RegisterHotKey + 4 0000000076a6efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!PostMessageW 0000000076a712a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!GetKeyState 0000000076a7291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SetParent 0000000076a72d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SetParent + 4 0000000076a72d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!EnableWindow 0000000076a72da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!MoveWindow 0000000076a73698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!MoveWindow + 4 0000000076a7369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!PostMessageA 0000000076a73baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!PostThreadMessageA 0000000076a73c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SetWindowLongA 0000000076a76110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SendMessageA 0000000076a7612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SystemParametersInfoA 0000000076a76c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000076a77603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SendNotifyMessageW 0000000076a77668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SendMessageCallbackW 0000000076a776e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutA 0000000076a7781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000076a7835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SetClipboardViewer 0000000076a7c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SetClipboardViewer + 4 0000000076a7c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageA 0000000076a8c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageW 0000000076a8d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!GetAsyncKeyState 0000000076a8eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!GetKeyboardState 0000000076a8ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!GetKeyboardState + 4 0000000076a8ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SendInput 0000000076a8ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SendInput + 4 0000000076a8ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!GetClipboardData 0000000076aa9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!ExitWindowsEx 0000000076ab1497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!mouse_event 0000000076ac027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!keybd_event 0000000076ac02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SendMessageCallbackA 0000000076ac6cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!SendNotifyMessageA 0000000076ac6d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!BlockInput 0000000076ac7dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!BlockInput + 4 0000000076ac7ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices 0000000076ac88eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices + 4 0000000076ac88ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759258b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075925ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075927ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007592b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007592ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007592cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007592ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075954969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075cd9708 6 bytes JMP 7178000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075edb901 6 bytes JMP 717b000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077609d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075c21401 2 bytes JMP 770eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075c21419 2 bytes JMP 770eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075c21431 2 bytes JMP 77168f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075c2144a 2 bytes CALL 770c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075c214dd 2 bytes JMP 77168822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075c214f5 2 bytes JMP 771689f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075c2150d 2 bytes JMP 77168718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075c21525 2 bytes JMP 77168ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075c2153d 2 bytes JMP 770dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075c21555 2 bytes JMP 770e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075c2156d 2 bytes JMP 77168fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075c21585 2 bytes JMP 77168b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075c2159d 2 bytes JMP 771686dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075c215b5 2 bytes JMP 770dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075c215cd 2 bytes JMP 770eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075c216b2 2 bytes JMP 77168ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075c216bd 2 bytes JMP 77168671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077bcfa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077bcfa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077bcfb74 3 bytes JMP 70bb000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077bcfb78 2 bytes JMP 70bb000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bcfcfc 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bcfd00 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bcfdb0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bcfdb4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bcfe14 3 bytes JMP 70cd000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bcfe18 2 bytes JMP 70cd000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bcff0c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bcff10 2 bytes JMP 70c4000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077bcffc0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077bcffc4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077bcfff0 3 bytes JMP 70d0000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077bcfff4 2 bytes JMP 70d0000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bd0050 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bd0054 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bd00d0 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bd00d4 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bd0100 3 bytes JMP 70ca000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bd0104 2 bytes JMP 70ca000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bd0404 3 bytes JMP 70b5000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bd0408 2 bytes JMP 70b5000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077bd041c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077bd0420 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bd059c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bd05a0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bd06e0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bd06e4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077bd0740 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077bd0744 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bd07e8 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077bd07ec 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077bd0830 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077bd0834 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bd08c0 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077bd08c4 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bd08d8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bd08dc 2 bytes JMP 70c1000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bd08f0 3 bytes JMP 70b8000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bd08f4 2 bytes JMP 70b8000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bd0e40 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bd0e44 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bd0f24 3 bytes JMP 70be000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bd0f28 2 bytes JMP 70be000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bd1c30 3 bytes JMP 70d3000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bd1c34 2 bytes JMP 70d3000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bd1d00 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bd1d04 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bd1dd8 3 bytes JMP 70df000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bd1ddc 2 bytes JMP 70df000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bf3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000770d3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000770d3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000770d9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000770e3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000770eccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007713dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007713dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000759af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000759b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759258b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075925ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075927ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007592b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007592ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007592cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007592ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075954969 6 bytes JMP 716f000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a68332 6 bytes JMP 7157000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a68bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a690d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a69679 6 bytes JMP 7145000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a697d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a6ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a6efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a6efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a712a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a7291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a72d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a72d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a72da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a73698 3 bytes JMP 7118000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a7369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a73baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a73c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a76110 6 bytes JMP 715a000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a7612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a76c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a77603 6 bytes JMP 7160000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a77668 6 bytes JMP 7133000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a776e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a7781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a7835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a7c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a7c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a8c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a8d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a8eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a8ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a8ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a8ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a8ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076aa9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076ab1497 6 bytes JMP 7100000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ac027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ac02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ac6cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ac6d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ac7dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076ac7ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ac88eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076ac88ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075cd9708 6 bytes JMP 7178000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075edb901 6 bytes JMP 717b000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077609d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075c21401 2 bytes JMP 770eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075c21419 2 bytes JMP 770eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075c21431 2 bytes JMP 77168f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075c2144a 2 bytes CALL 770c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075c214dd 2 bytes JMP 77168822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075c214f5 2 bytes JMP 771689f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075c2150d 2 bytes JMP 77168718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075c21525 2 bytes JMP 77168ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075c2153d 2 bytes JMP 770dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075c21555 2 bytes JMP 770e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075c2156d 2 bytes JMP 77168fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075c21585 2 bytes JMP 77168b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075c2159d 2 bytes JMP 771686dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075c215b5 2 bytes JMP 770dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075c215cd 2 bytes JMP 770eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075c216b2 2 bytes JMP 77168ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075c216bd 2 bytes JMP 77168671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\GWX\GWX.exe[3432] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\GWX\GWX.exe[3432] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\GWX\GWX.exe[3432] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\GWX\GWX.exe[3432] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\GWX\GWX.exe[3432] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\GWX\GWX.exe[3432] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\GWX\GWX.exe[3432] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\GWX\GWX.exe[3432] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077bcfa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077bcfa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077bcfb74 3 bytes JMP 70b5000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077bcfb78 2 bytes JMP 70b5000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bcfcfc 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bcfd00 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bcfdb0 3 bytes JMP 70c1000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bcfdb4 2 bytes JMP 70c1000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bcfe14 3 bytes JMP 70c7000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bcfe18 2 bytes JMP 70c7000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bcff0c 3 bytes JMP 70be000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bcff10 2 bytes JMP 70be000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077bcffc0 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077bcffc4 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077bcfff0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077bcfff4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bd0050 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bd0054 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bd00d0 3 bytes JMP 70df000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bd00d4 2 bytes JMP 70df000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bd0100 3 bytes JMP 70c4000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bd0104 2 bytes JMP 70c4000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bd0404 3 bytes JMP 70af000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bd0408 2 bytes JMP 70af000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077bd041c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077bd0420 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bd059c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bd05a0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bd06e0 3 bytes JMP 70d3000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bd06e4 2 bytes JMP 70d3000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077bd0740 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077bd0744 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bd07e8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077bd07ec 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077bd0830 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077bd0834 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bd08c0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077bd08c4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bd08d8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bd08dc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bd08f0 3 bytes JMP 70b2000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bd08f4 2 bytes JMP 70b2000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bd0e40 3 bytes JMP 70d0000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bd0e44 2 bytes JMP 70d0000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bd0f24 3 bytes JMP 70b8000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bd0f28 2 bytes JMP 70b8000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bd1c30 3 bytes JMP 70cd000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bd1c34 2 bytes JMP 70cd000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bd1d00 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bd1d04 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bd1dd8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bd1ddc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bf3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000770d3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000770d3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000770d9aa4 6 bytes JMP 7181000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000770e3b62 6 bytes JMP 7178000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000770eccd1 6 bytes JMP 7184000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007713dc3e 6 bytes JMP 717e000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007713dce1 6 bytes JMP 717b000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000759af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000759b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759258b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075925ea5 6 bytes JMP 716f000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075927ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007592b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007592ba5f 6 bytes JMP 7166000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007592cc01 6 bytes JMP 716c000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007592ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075954969 6 bytes JMP 7169000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a68332 6 bytes JMP 7151000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a68bff 6 bytes JMP 7145000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a690d3 6 bytes JMP 7100000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a69679 6 bytes JMP 713f000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a697d2 6 bytes JMP 7139000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a6ee09 6 bytes JMP 7157000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a6efc9 3 bytes JMP 7106000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a6efcd 2 bytes JMP 7106000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a712a5 6 bytes JMP 714b000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a7291f 6 bytes JMP 711e000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a72d64 3 bytes JMP 7115000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a72d68 2 bytes JMP 7115000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a72da4 6 bytes JMP 70fd000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a73698 3 bytes JMP 7112000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a7369c 2 bytes JMP 7112000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a73baa 6 bytes JMP 714e000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a73c61 6 bytes JMP 7148000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a76110 6 bytes JMP 7154000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a7612e 6 bytes JMP 7142000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a76c30 6 bytes JMP 7103000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a77603 6 bytes JMP 715a000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a77668 6 bytes JMP 712d000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a776e0 6 bytes JMP 7133000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a7781f 6 bytes JMP 713c000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a7835c 6 bytes JMP 715d000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a7c4b6 3 bytes JMP 710f000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a7c4ba 2 bytes JMP 710f000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a8c112 6 bytes JMP 712a000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a8d0f5 6 bytes JMP 7127000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a8eb96 6 bytes JMP 711b000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a8ec68 3 bytes JMP 7121000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a8ec6c 2 bytes JMP 7121000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a8ff4a 3 bytes JMP 7124000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a8ff4e 2 bytes JMP 7124000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076aa9f1d 6 bytes JMP 7109000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076ab1497 6 bytes JMP 70fa000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ac027b 6 bytes JMP 7160000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ac02bf 6 bytes JMP 7163000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ac6cfc 6 bytes JMP 7136000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ac6d5d 6 bytes JMP 7130000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ac7dd7 3 bytes JMP 710c000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076ac7ddb 2 bytes JMP 710c000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ac88eb 3 bytes JMP 7118000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076ac88ef 2 bytes JMP 7118000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075cd9708 6 bytes JMP 7172000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075edb901 6 bytes JMP 7175000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077609d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075c21401 2 bytes JMP 770eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075c21419 2 bytes JMP 770eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075c21431 2 bytes JMP 77168f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075c2144a 2 bytes CALL 770c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075c214dd 2 bytes JMP 77168822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075c214f5 2 bytes JMP 771689f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075c2150d 2 bytes JMP 77168718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075c21525 2 bytes JMP 77168ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075c2153d 2 bytes JMP 770dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075c21555 2 bytes JMP 770e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075c2156d 2 bytes JMP 77168fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075c21585 2 bytes JMP 77168b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075c2159d 2 bytes JMP 771686dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075c215b5 2 bytes JMP 770dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075c215cd 2 bytes JMP 770eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075c216b2 2 bytes JMP 77168ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075c216bd 2 bytes JMP 77168671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077bcfa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077bcfa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077bcfb74 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077bcfb78 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bcfcfc 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bcfd00 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bcfdb0 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bcfdb4 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bcfe14 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bcfe18 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bcff0c 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bcff10 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077bcffc0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077bcffc4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077bcfff0 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077bcfff4 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bd0050 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bd0054 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bd00d0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bd00d4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bd0100 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bd0104 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bd0404 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bd0408 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077bd041c 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077bd0420 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bd059c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bd05a0 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bd06e0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bd06e4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077bd0740 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077bd0744 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bd07e8 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077bd07ec 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077bd0830 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077bd0834 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bd08c0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077bd08c4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bd08d8 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bd08dc 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bd08f0 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bd08f4 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bd0e40 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bd0e44 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bd0f24 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bd0f28 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bd1c30 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bd1c34 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bd1d00 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bd1d04 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bd1dd8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bd1ddc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bf3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000770d3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000770d3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000770d9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000770e3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000770eccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007713dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007713dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000759af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000759b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759258b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075925ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075927ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007592b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007592ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007592cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007592ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075954969 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a68332 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a68bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a690d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a69679 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a697d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a6ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a6efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a6efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a712a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a7291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a72d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a72d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a72da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a73698 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a7369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a73baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a73c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a76110 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a7612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a76c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a77603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a77668 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a776e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a7781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a7835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a7c4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a7c4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a8c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a8d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a8eb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a8ec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a8ec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a8ff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a8ff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076aa9f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076ab1497 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ac027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ac02bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ac6cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ac6d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ac7dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076ac7ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ac88eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076ac88ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077609d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075c21401 2 bytes JMP 770eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075c21419 2 bytes JMP 770eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075c21431 2 bytes JMP 77168f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075c2144a 2 bytes CALL 770c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075c214dd 2 bytes JMP 77168822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075c214f5 2 bytes JMP 771689f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075c2150d 2 bytes JMP 77168718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075c21525 2 bytes JMP 77168ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075c2153d 2 bytes JMP 770dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075c21555 2 bytes JMP 770e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075c2156d 2 bytes JMP 77168fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075c21585 2 bytes JMP 77168b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075c2159d 2 bytes JMP 771686dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075c215b5 2 bytes JMP 770dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075c215cd 2 bytes JMP 770eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075c216b2 2 bytes JMP 77168ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075c216bd 2 bytes JMP 77168671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077bcfa2c 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077bcfa30 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077bcfb74 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077bcfb78 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bcfcfc 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bcfd00 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bcfdb0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bcfdb4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bcfe14 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bcfe18 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bcff0c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bcff10 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077bcffc0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077bcffc4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077bcfff0 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077bcfff4 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bd0050 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bd0054 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bd00d0 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bd00d4 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bd0100 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bd0104 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bd0404 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bd0408 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077bd041c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077bd0420 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bd059c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bd05a0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bd06e0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bd06e4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077bd0740 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077bd0744 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bd07e8 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077bd07ec 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077bd0830 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077bd0834 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bd08c0 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077bd08c4 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bd08d8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bd08dc 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bd08f0 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bd08f4 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bd0e40 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bd0e44 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bd0f24 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bd0f28 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bd1c30 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bd1c34 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bd1d00 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bd1d04 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bd1dd8 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bd1ddc 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bf3bfb 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000770d3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000770d3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000770d9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000770e3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000770eccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007713dc3e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007713dce1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000759af784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000759b2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a68332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a68bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a690d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a69679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a697d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a6ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a6efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a6efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a712a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a7291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a72d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a72d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a72da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a73698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a7369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a73baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a73c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a76110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a7612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a76c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a77603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a77668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a776e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a7781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a7835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a7c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a7c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a8c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a8d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a8eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a8ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a8ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a8ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a8ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076aa9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076ab1497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ac027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ac02bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ac6cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ac6d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ac7dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076ac7ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ac88eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076ac88ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759258b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075925ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075927ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007592b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007592ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007592cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007592ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075954969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077609d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075cd9708 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075edb901 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075c21401 2 bytes JMP 770eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075c21419 2 bytes JMP 770eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075c21431 2 bytes JMP 77168f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075c2144a 2 bytes CALL 770c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075c214dd 2 bytes JMP 77168822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075c214f5 2 bytes JMP 771689f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075c2150d 2 bytes JMP 77168718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075c21525 2 bytes JMP 77168ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075c2153d 2 bytes JMP 770dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075c21555 2 bytes JMP 770e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075c2156d 2 bytes JMP 77168fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075c21585 2 bytes JMP 77168b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075c2159d 2 bytes JMP 771686dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075c215b5 2 bytes JMP 770dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075c215cd 2 bytes JMP 770eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075c216b2 2 bytes JMP 77168ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4932] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075c216bd 2 bytes JMP 77168671 C:\Windows\syswow64\kernel32.dll .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779f3260 6 bytes {JMP QWORD [RIP+0x864cdd0]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a1dca0 6 bytes {JMP QWORD [RIP+0x8602390]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a1dd70 6 bytes {JMP QWORD [RIP+0x8e422c0]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a1de70 6 bytes {JMP QWORD [RIP+0x8ce21c0]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a1dee0 6 bytes {JMP QWORD [RIP+0x8dc2150]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a1df20 6 bytes {JMP QWORD [RIP+0x8d82110]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a1dfc0 6 bytes {JMP QWORD [RIP+0x8de2070]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a1e030 6 bytes {JMP QWORD [RIP+0x8be2000]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a1e050 6 bytes {JMP QWORD [RIP+0x8d61fe0]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a1e090 6 bytes {JMP QWORD [RIP+0x8c61fa0]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a1e0e0 6 bytes {JMP QWORD [RIP+0x8c81f50]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a1e100 6 bytes {JMP QWORD [RIP+0x8da1f30]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a1e2f0 6 bytes {JMP QWORD [RIP+0x8e81d40]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077a1e300 6 bytes {JMP QWORD [RIP+0x8ba1d30]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a1e400 6 bytes {JMP QWORD [RIP+0x8b81c30]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a1e4d0 6 bytes {JMP QWORD [RIP+0x8d01b60]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a1e510 6 bytes {JMP QWORD [RIP+0x8c01b20]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a1e580 6 bytes {JMP QWORD [RIP+0x8bc1ab0]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077a1e5b0 6 bytes {JMP QWORD [RIP+0x8c41a80]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a1e610 6 bytes {JMP QWORD [RIP+0x8c21a20]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a1e620 6 bytes {JMP QWORD [RIP+0x8e01a10]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a1e630 6 bytes {JMP QWORD [RIP+0x8e61a00]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a1e9a0 6 bytes {JMP QWORD [RIP+0x8d21690]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a1ea30 6 bytes {JMP QWORD [RIP+0x8e21600]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a1f2a0 6 bytes {JMP QWORD [RIP+0x8d40d90]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a1f320 6 bytes {JMP QWORD [RIP+0x8ca0d10]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a1f3a0 6 bytes {JMP QWORD [RIP+0x8cc0c90]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes [E8, 4F, 06] .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes JMP 0 .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes JMP 0 .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes JMP 0 .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes JMP f5027468 .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes JMP 0 .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes JMP 0 .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes JMP 0 .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes JMP 724f6261 .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000777b6ef0 6 bytes {JMP QWORD [RIP+0x8c89140]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000777b8184 6 bytes {JMP QWORD [RIP+0x8d67eac]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SetParent 00000000777b8530 6 bytes {JMP QWORD [RIP+0x8ca7b00]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000777b9bcc 6 bytes {JMP QWORD [RIP+0x8a06464]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!PostMessageA 00000000777ba404 6 bytes {JMP QWORD [RIP+0x8a45c2c]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!EnableWindow 00000000777baaa0 6 bytes {JMP QWORD [RIP+0x8da5590]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!MoveWindow 00000000777baad0 6 bytes {JMP QWORD [RIP+0x8cc5560]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000777bc720 6 bytes {JMP QWORD [RIP+0x8c63910]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000777bcd50 6 bytes {JMP QWORD [RIP+0x8d432e0]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000777bd2b0 6 bytes {JMP QWORD [RIP+0x8a82d80]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SendMessageA 00000000777bd338 6 bytes {JMP QWORD [RIP+0x8ac2cf8]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000777bdc40 6 bytes {JMP QWORD [RIP+0x8ba23f0]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000777bf510 6 bytes {JMP QWORD [RIP+0x8d80b20]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000777bf874 6 bytes {JMP QWORD [RIP+0x89c07bc]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000777bfac0 6 bytes {JMP QWORD [RIP+0x8b20570]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000777c0b74 6 bytes {JMP QWORD [RIP+0x8a9f4bc]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000777c33b0 6 bytes {JMP QWORD [RIP+0x8a1cc80]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000777c4d4d 5 bytes {JMP QWORD [RIP+0x89db2e4]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!GetKeyState 00000000777c5010 6 bytes {JMP QWORD [RIP+0x8c3b020]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000777c5438 6 bytes {JMP QWORD [RIP+0x8b5abf8]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SendMessageW 00000000777c6b50 6 bytes {JMP QWORD [RIP+0x8ad94e0]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!PostMessageW 00000000777c76e4 6 bytes {JMP QWORD [RIP+0x8a5894c]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000777cdd90 6 bytes {JMP QWORD [RIP+0x8bd22a0]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!GetClipboardData 00000000777ce874 6 bytes {JMP QWORD [RIP+0x8d117bc]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000777cf780 6 bytes {JMP QWORD [RIP+0x8cd08b0]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000777d28e4 6 bytes {JMP QWORD [RIP+0x8b6d74c]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!mouse_event 00000000777d3894 6 bytes {JMP QWORD [RIP+0x896c79c]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000777d8a10 6 bytes {JMP QWORD [RIP+0x8c07620]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000777d8be0 6 bytes {JMP QWORD [RIP+0x8ae7450]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000777d8c20 6 bytes {JMP QWORD [RIP+0x8987410]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SendInput 00000000777d8cd0 6 bytes {JMP QWORD [RIP+0x8be7360]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!BlockInput 00000000777dad60 6 bytes {JMP QWORD [RIP+0x8ce52d0]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000778014e0 6 bytes {JMP QWORD [RIP+0x8d7eb50]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!keybd_event 00000000778245a4 6 bytes {JMP QWORD [RIP+0x88fba8c]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007782cc08 6 bytes {JMP QWORD [RIP+0x8b53428]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007782df18 6 bytes {JMP QWORD [RIP+0x8ad2118]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefdce9190 5 bytes [FF, 25, A0, 6E, F6] .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefdf023e0 6 bytes {JMP QWORD [RIP+0xd2dc50]} .text C:\totalcmd\TOTALCMD64.EXE[5020] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778c1870 6 bytes {JMP QWORD [RIP+0x883e7c0]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778cdbc0 6 bytes {JMP QWORD [RIP+0x8792470]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007793f500 6 bytes {JMP QWORD [RIP+0x8760b30]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007793f530 6 bytes {JMP QWORD [RIP+0x87a0b00]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007793f700 6 bytes {JMP QWORD [RIP+0x8740930]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000779454d0 6 bytes {JMP QWORD [RIP+0x877ab60]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd80b022 3 bytes CALL 9b6 .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd8160e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff9874a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4222cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4224c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff425bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff428398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4289bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\GDI32.dll!GetPixel 000007feff429320 6 bytes JMP 0 .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff42b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\servicing\TrustedInstaller.exe[192] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff42c8f0 6 bytes {JMP QWORD [RIP+0x143740]} .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077bcfa2c 3 bytes JMP 71af000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077bcfa30 2 bytes JMP 71af000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077bcfb74 3 bytes JMP 70c1000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077bcfb78 2 bytes JMP 70c1000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bcfcfc 3 bytes JMP 70e2000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bcfd00 2 bytes JMP 70e2000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bcfdb0 3 bytes JMP 70cd000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bcfdb4 2 bytes JMP 70cd000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bcfe14 3 bytes JMP 70d3000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bcfe18 2 bytes JMP 70d3000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bcff0c 3 bytes JMP 70ca000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bcff10 2 bytes JMP 70ca000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077bcffc0 3 bytes JMP 70fa000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077bcffc4 2 bytes JMP 70fa000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077bcfff0 3 bytes JMP 70d6000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077bcfff4 2 bytes JMP 70d6000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bd0050 3 bytes JMP 70ee000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bd0054 2 bytes JMP 70ee000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bd00d0 3 bytes JMP 70eb000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bd00d4 2 bytes JMP 70eb000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bd0100 3 bytes JMP 70d0000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bd0104 2 bytes JMP 70d0000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bd0404 3 bytes JMP 70bb000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bd0408 2 bytes JMP 70bb000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077bd041c 3 bytes JMP 7100000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077bd0420 2 bytes JMP 7100000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bd059c 3 bytes JMP 7103000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bd05a0 2 bytes JMP 7103000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bd06e0 3 bytes JMP 70df000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bd06e4 2 bytes JMP 70df000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077bd0740 3 bytes JMP 70f7000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077bd0744 2 bytes JMP 70f7000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bd07e8 3 bytes JMP 70fd000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077bd07ec 2 bytes JMP 70fd000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077bd0830 3 bytes JMP 70f1000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077bd0834 2 bytes JMP 70f1000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bd08c0 3 bytes JMP 70f4000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077bd08c4 2 bytes JMP 70f4000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bd08d8 3 bytes JMP 70c7000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bd08dc 2 bytes JMP 70c7000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bd08f0 3 bytes JMP 70be000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bd08f4 2 bytes JMP 70be000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bd0e40 3 bytes JMP 70dc000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bd0e44 2 bytes JMP 70dc000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bd0f24 3 bytes JMP 70c4000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bd0f28 2 bytes JMP 70c4000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bd1c30 3 bytes JMP 70d9000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bd1c34 2 bytes JMP 70d9000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bd1d00 3 bytes JMP 70e8000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bd1d04 2 bytes JMP 70e8000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bd1dd8 3 bytes JMP 70e5000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bd1ddc 2 bytes JMP 70e5000a .text C:\Temp\gmer.exe[2816] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bf3bfb 6 bytes JMP 71a8000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000770d3bab 3 bytes JMP 719c000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000770d3baf 2 bytes JMP 719c000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000770d9aa4 6 bytes JMP 7187000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000770e3b62 6 bytes JMP 717e000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000770eccd1 6 bytes JMP 718a000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007713dc3e 6 bytes JMP 7184000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007713dce1 6 bytes JMP 7181000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000759af784 6 bytes JMP 719f000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000759b2ca4 4 bytes CALL 71ac0000 .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a68332 6 bytes JMP 715d000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a68bff 6 bytes JMP 7151000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a690d3 6 bytes JMP 710c000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a69679 6 bytes JMP 714b000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a697d2 6 bytes JMP 7145000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a6ee09 6 bytes JMP 7163000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a6efc9 3 bytes JMP 7112000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a6efcd 2 bytes JMP 7112000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a712a5 6 bytes JMP 7157000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a7291f 6 bytes JMP 712a000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a72d64 3 bytes JMP 7121000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a72d68 2 bytes JMP 7121000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a72da4 6 bytes JMP 7109000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a73698 3 bytes JMP 711e000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a7369c 2 bytes JMP 711e000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a73baa 6 bytes JMP 715a000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a73c61 6 bytes JMP 7154000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a76110 6 bytes JMP 7160000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a7612e 6 bytes JMP 714e000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a76c30 6 bytes JMP 710f000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a77603 6 bytes JMP 7166000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a77668 6 bytes JMP 7139000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a776e0 6 bytes JMP 713f000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a7781f 6 bytes JMP 7148000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a7835c 6 bytes JMP 7169000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a7c4b6 3 bytes JMP 711b000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a7c4ba 2 bytes JMP 711b000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a8c112 6 bytes JMP 7136000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a8d0f5 6 bytes JMP 7133000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a8eb96 6 bytes JMP 7127000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a8ec68 3 bytes JMP 712d000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a8ec6c 2 bytes JMP 712d000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a8ff4a 3 bytes JMP 7130000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a8ff4e 2 bytes JMP 7130000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076aa9f1d 6 bytes JMP 7115000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076ab1497 6 bytes JMP 7106000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076ac027b 6 bytes JMP 716c000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076ac02bf 6 bytes JMP 716f000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076ac6cfc 6 bytes JMP 7142000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076ac6d5d 6 bytes JMP 713c000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076ac7dd7 3 bytes JMP 7118000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076ac7ddb 2 bytes JMP 7118000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076ac88eb 3 bytes JMP 7124000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076ac88ef 2 bytes JMP 7124000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759258b3 6 bytes JMP 718d000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075925ea5 6 bytes JMP 717b000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075927ba4 6 bytes JMP 7196000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007592b986 6 bytes JMP 7190000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007592ba5f 6 bytes JMP 7172000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007592cc01 6 bytes JMP 7178000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007592ea03 6 bytes JMP 7193000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075954969 6 bytes JMP 7175000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077609d0b 6 bytes JMP 7199000a .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075c21401 2 bytes JMP 770eb21b C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075c21419 2 bytes JMP 770eb346 C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075c21431 2 bytes JMP 77168f29 C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075c2144a 2 bytes CALL 770c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075c214dd 2 bytes JMP 77168822 C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075c214f5 2 bytes JMP 771689f8 C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075c2150d 2 bytes JMP 77168718 C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075c21525 2 bytes JMP 77168ae2 C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075c2153d 2 bytes JMP 770dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075c21555 2 bytes JMP 770e68ef C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075c2156d 2 bytes JMP 77168fe3 C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075c21585 2 bytes JMP 77168b42 C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075c2159d 2 bytes JMP 771686dc C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075c215b5 2 bytes JMP 770dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075c215cd 2 bytes JMP 770eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075c216b2 2 bytes JMP 77168ea4 C:\Windows\syswow64\kernel32.dll .text C:\Temp\gmer.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075c216bd 2 bytes JMP 77168671 C:\Windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Process \\?\C:\Windows\system32\wbem\WMIADAP.EXE (*** suspicious ***) @ \\?\C:\Windows\system32\wbem\WMIADAP.EXE [4444] (WMI Reverse Performance Adapter Maintenance Utility/Microsoft Corporation)(2009-07-13 23:47:22) 00000000ff4e0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----