GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-29 17:33:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BPVT-35ZEST0 rev.01.01A01 298,09GB Running: 9xesggct.exe; Driver: C:\Users\Mat\AppData\Local\Temp\uxrirpow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007733d460 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007733d660 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007733d460 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007733d660 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\services.exe[600] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\system32\services.exe[600] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff203d60 6 bytes {JMP QWORD [RIP+0x10c2d0]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000770df864 6 bytes {JMP QWORD [RIP+0x90607cc]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000770e4d3d 5 bytes {JMP QWORD [RIP+0x907b2f4]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000770f8c20 6 bytes {JMP QWORD [RIP+0x9027410]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff203d60 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 63002000 .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0x3fdd64]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[844] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff203d60 6 bytes {JMP QWORD [RIP+0x10c2d0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007733d530 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes JMP 8d310f0 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes JMP 1013f5f .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes JMP 65b79a8 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes JMP 8fc4888 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes JMP 912ad90 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes JMP 9042b60 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes JMP 5cc6591 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes JMP 57a1e51 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes JMP 9022aa8 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes JMP 8cdad51 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes JMP 8f476f0 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes JMP 566ce68 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes JMP 939b2d1 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes JMP f18c0 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes JMP 8e42390 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes JMP 1054a24 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes JMP 1013596 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes JMP 8e82500 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes JMP 57a6751 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes JMP 8fe5958 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes JMP 5cc6591 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes JMP 11a201 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes JMP 8fdf028 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes JMP 5cc6591 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes JMP fc5c0 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes JMP 8f61538 .text C:\Windows\System32\svchost.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes JMP 9 .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes JMP 8bb84b0 .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes JMP f30c0 .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes JMP 1015189 .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes JMP 599b688 .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes JMP 8e351a0 .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes JMP 9025018 .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff203d60 6 bytes {JMP QWORD [RIP+0x10c2d0]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefdd88fe4 6 bytes {JMP QWORD [RIP+0x10e704c]} .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefdfa2398 6 bytes {JMP QWORD [RIP+0xe9dc98]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\System32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\System32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\System32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\System32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\System32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\System32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\AUDIODG.EXE[1100] C:\Windows\System32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 0 .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\WLANExt.exe[1380] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes [67, 6D, 06] .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 42b042b .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0x44dd64]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0x407c98]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x3e7674]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0x426d10]} .text C:\Windows\System32\spoolsv.exe[1484] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff203d60 6 bytes JMP 99f5 .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffe0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f390 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239ae0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077249570 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077268890 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd1a2db0 5 bytes JMP 000007fefd190180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd1a3700 7 bytes JMP 000007fefd1900d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1a9140 5 bytes JMP 000007fefd190148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd1aa2b0 5 bytes JMP 000007fefd190110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0x3fdd64]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes JMP 620065 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef089d0 8 bytes JMP 000007fefd1901f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef0be40 8 bytes JMP 000007fefd1901b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 11 bytes JMP 000007fefd190228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeafbee0 7 bytes JMP 000007fefd190260 .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL d8c00 .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 1000100 .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\nvvsvc.exe[1668] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774efa80 3 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000774efa84 2 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000774efbc8 3 bytes JMP 712a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000774efbcc 2 bytes JMP 712a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efd50 3 bytes JMP 714b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000774efd54 2 bytes JMP 714b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efe04 3 bytes JMP 7136000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000774efe08 2 bytes JMP 7136000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efe68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000774efe6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774eff60 3 bytes JMP 7133000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774eff64 2 bytes JMP 7133000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000774f0014 3 bytes JMP 7163000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000774f0018 2 bytes JMP 7163000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774f0044 3 bytes JMP 713f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000774f0048 2 bytes JMP 713f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f00a4 3 bytes JMP 7157000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000774f00a8 2 bytes JMP 7157000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0124 3 bytes JMP 7154000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000774f0128 2 bytes JMP 7154000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f0154 3 bytes JMP 7139000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774f0158 2 bytes JMP 7139000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f0458 3 bytes JMP 7124000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774f045c 2 bytes JMP 7124000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774f0470 3 bytes JMP 7169000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774f0474 2 bytes JMP 7169000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f05f0 3 bytes JMP 716c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000774f05f4 2 bytes JMP 716c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0734 3 bytes JMP 7148000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000774f0738 2 bytes JMP 7148000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774f0794 3 bytes JMP 7160000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774f0798 2 bytes JMP 7160000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000774f083c 3 bytes JMP 7166000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000774f0840 2 bytes JMP 7166000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774f0884 3 bytes JMP 715a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774f0888 2 bytes JMP 715a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000774f0914 3 bytes JMP 715d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000774f0918 2 bytes JMP 715d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f092c 3 bytes JMP 7130000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000774f0930 2 bytes JMP 7130000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f0944 3 bytes JMP 7127000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774f0948 2 bytes JMP 7127000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0e94 3 bytes JMP 7145000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000774f0e98 2 bytes JMP 7145000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0f78 3 bytes JMP 712d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000774f0f7c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1c84 3 bytes JMP 7142000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000774f1c88 2 bytes JMP 7142000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1d54 3 bytes JMP 7151000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000774f1d58 2 bytes JMP 7151000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1e2c 3 bytes JMP 714e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000774f1e30 2 bytes JMP 714e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077513d8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b93bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075b93bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075b99abc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075ba3b7a 6 bytes JMP 717e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075bacce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000075bfdcbe 6 bytes JMP 7184000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000075bfdd61 6 bytes JMP 7181000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075fbf897 6 bytes JMP 719f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075fc2e0c 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007510ee19 6 bytes JMP 716f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075117613 6 bytes JMP 7172000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007511836c 6 bytes JMP 7175000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000757c58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000757c7ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000757cb986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000757cea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000760a9698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000762abae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075df9ccb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076cb1401 2 bytes JMP 75bab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076cb1419 2 bytes JMP 75bab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076cb1431 2 bytes JMP 75c29011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076cb144a 2 bytes CALL 75b848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076cb14dd 2 bytes JMP 75c2890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076cb14f5 2 bytes JMP 75c28ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076cb150d 2 bytes JMP 75c28800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076cb1525 2 bytes JMP 75c28bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076cb153d 2 bytes JMP 75b9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076cb1555 2 bytes JMP 75ba6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076cb156d 2 bytes JMP 75c290c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076cb1585 2 bytes JMP 75c28c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076cb159d 2 bytes JMP 75c287c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076cb15b5 2 bytes JMP 75b9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076cb15cd 2 bytes JMP 75bab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076cb16b2 2 bytes JMP 75c28f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076cb16bd 2 bytes JMP 75c28759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774efa80 3 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000774efa84 2 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000774efbc8 3 bytes JMP 712a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000774efbcc 2 bytes JMP 712a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efd50 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000774efd54 2 bytes [4A, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efe04 3 bytes JMP 7136000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000774efe08 2 bytes JMP 7136000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efe68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000774efe6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774eff60 3 bytes JMP 7133000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774eff64 2 bytes JMP 7133000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000774f0014 3 bytes JMP 7163000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000774f0018 2 bytes JMP 7163000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774f0044 3 bytes JMP 713f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000774f0048 2 bytes JMP 713f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f00a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000774f00a8 2 bytes [56, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0124 3 bytes JMP 7154000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000774f0128 2 bytes JMP 7154000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f0154 3 bytes JMP 7139000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774f0158 2 bytes JMP 7139000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f0458 3 bytes JMP 7124000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774f045c 2 bytes JMP 7124000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774f0470 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774f0474 2 bytes [68, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f05f0 3 bytes JMP 716c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000774f05f4 2 bytes JMP 716c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0734 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000774f0738 2 bytes [47, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774f0794 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774f0798 2 bytes [5F, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000774f083c 3 bytes JMP 7166000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000774f0840 2 bytes JMP 7166000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774f0884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774f0888 2 bytes [59, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000774f0914 3 bytes JMP 715d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000774f0918 2 bytes JMP 715d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f092c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000774f0930 2 bytes [2F, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f0944 3 bytes JMP 7127000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774f0948 2 bytes JMP 7127000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0e94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000774f0e98 2 bytes [44, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0f78 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000774f0f7c 2 bytes [2C, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1c84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000774f1c88 2 bytes [41, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1d54 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000774f1d58 2 bytes [50, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1e2c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000774f1e30 2 bytes [4D, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077513d8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b93bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075b93bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075b99abc 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075ba3b7a 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075bacce1 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000075bfdcbe 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000075bfdd61 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075fbf897 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075fc2e0c 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007510ee19 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075117613 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007511836c 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000757c58b3 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000757c7ba4 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000757cb986 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000757cea03 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000760a9698 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000762abae9 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1924] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075df9ccb 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000006fff0228 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000006fff0180 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffe0 5 bytes JMP 000000006fff01b8 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f390 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239ae0 7 bytes JMP 000000006fff00d8 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077249570 5 bytes JMP 000000006fff0148 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077268890 7 bytes JMP 000000006fff01f0 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd1a2db0 5 bytes JMP 000007fefd190180 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd1a3700 7 bytes JMP 000007fefd1900d8 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1a9140 5 bytes JMP 000007fefd190148 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd1aa2b0 5 bytes JMP 000007fefd190110 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0x3fdd64]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef089d0 8 bytes JMP 000007fefd1901f0 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef0be40 8 bytes JMP 000007fefd1901b8 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef884dc88 5 bytes JMP 000007fef88200d8 .text C:\Windows\system32\Dwm.exe[2096] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef884de10 5 bytes JMP 000007fef8820110 .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes JMP 740072 .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes JMP 620065 .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000770df864 6 bytes {JMP QWORD [RIP+0x90607cc]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000770e4d3d 5 bytes {JMP QWORD [RIP+0x907b2f4]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000770f8c20 6 bytes {JMP QWORD [RIP+0x9027410]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefdd88fe4 6 bytes {JMP QWORD [RIP+0x10b704c]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefdfa2398 6 bytes {JMP QWORD [RIP+0xe7dc98]} .text C:\Windows\Explorer.EXE[2112] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\taskeng.exe[2144] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000006fff0228 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000006fff0180 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffe0 5 bytes JMP 000000006fff01b8 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f390 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239ae0 7 bytes JMP 000000006fff00d8 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077249570 5 bytes JMP 000000006fff0148 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077268890 7 bytes JMP 000000006fff01f0 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd1a2db0 5 bytes JMP 000007fefd190180 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd1a3700 7 bytes JMP 000007fefd1900d8 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1a9140 5 bytes JMP 000007fefd190148 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd1aa2b0 5 bytes JMP 000007fefd190110 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0x3fdd64]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef089d0 8 bytes JMP 000007fefd1901f0 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef0be40 8 bytes JMP 000007fefd1901b8 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 11 bytes JMP 000007fefd190228 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeafbee0 7 bytes JMP 000007fefd190260 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774efa80 3 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000774efa84 2 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000774efbc8 3 bytes JMP 7066000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000774efbcc 2 bytes JMP 7066000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efd50 3 bytes JMP 7098000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000774efd54 2 bytes JMP 7098000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efe04 3 bytes JMP 7074000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000774efe08 2 bytes JMP 7074000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efe68 3 bytes JMP 707a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000774efe6c 2 bytes JMP 707a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774eff60 3 bytes JMP 7071000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774eff64 2 bytes JMP 7071000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000774f0014 3 bytes JMP 70b3000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000774f0018 2 bytes JMP 70b3000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774f0044 3 bytes JMP 707d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000774f0048 2 bytes JMP 707d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f00a4 3 bytes JMP 70a7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000774f00a8 2 bytes JMP 70a7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0124 3 bytes JMP 70a4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000774f0128 2 bytes JMP 70a4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f0154 3 bytes JMP 7077000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774f0158 2 bytes JMP 7077000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f0458 3 bytes JMP 7060000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774f045c 2 bytes JMP 7060000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774f0470 3 bytes JMP 7167000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774f0474 2 bytes JMP 7167000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f05f0 3 bytes JMP 716b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000774f05f4 2 bytes JMP 716b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0734 3 bytes JMP 7095000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000774f0738 2 bytes JMP 7095000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774f0794 3 bytes JMP 70b0000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774f0798 2 bytes JMP 70b0000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000774f083c 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000774f0840 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774f0884 3 bytes JMP 70aa000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774f0888 2 bytes JMP 70aa000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000774f0914 3 bytes JMP 70ad000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000774f0918 2 bytes JMP 70ad000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f092c 3 bytes JMP 706e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000774f0930 2 bytes JMP 706e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f0944 3 bytes JMP 7063000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774f0948 2 bytes JMP 7063000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0e94 3 bytes JMP 7092000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000774f0e98 2 bytes JMP 7092000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0f78 3 bytes JMP 706b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000774f0f7c 2 bytes JMP 706b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1c84 3 bytes JMP 7080000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000774f1c88 2 bytes JMP 7080000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1d54 3 bytes JMP 70a1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000774f1d58 2 bytes JMP 70a1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1e2c 3 bytes JMP 709e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000774f1e30 2 bytes JMP 709e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077513d8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075b81f0e 7 bytes JMP 0000000070353c50 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075b85bad 7 bytes JMP 0000000070354290 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075b91409 7 bytes JMP 0000000070353ea0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b93bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075b93bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075b99abc 6 bytes JMP 7186000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075b9ea5d 7 bytes JMP 0000000070353c40 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075ba3b7a 6 bytes JMP 717d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075bacce1 6 bytes JMP 7189000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000075bfdcbe 6 bytes JMP 7183000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000075bfdd61 6 bytes JMP 7180000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075c28f8c 7 bytes JMP 00000000703536c0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075c29011 5 bytes JMP 0000000070353770 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075c29367 5 bytes JMP 00000000703536d0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075fbf897 6 bytes JMP 719f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fc1e3d 5 bytes JMP 0000000070353680 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fc1eeb 5 bytes JMP 0000000070353640 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fc2bcd 5 bytes JMP 0000000070353780 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075fc2e0c 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fc2e7f 5 bytes JMP 0000000070353480 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007510ee19 6 bytes JMP 716e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075114582 5 bytes JMP 0000000070353400 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075117613 6 bytes JMP 7171000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007511836c 6 bytes JMP 7174000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007512e587 5 bytes JMP 0000000070353470 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000751508ab 5 bytes JMP 0000000070352960 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075167b24 5 bytes JMP 00000000703533e0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000757c58b3 6 bytes JMP 718c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000757c7ba4 6 bytes JMP 7195000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000757cb986 6 bytes JMP 718f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000757cd2b4 5 bytes JMP 0000000070352c60 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000757cd4ee 5 bytes JMP 0000000070352c70 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000757cea03 6 bytes JMP 7192000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000760a9698 6 bytes JMP 7177000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000762abae9 6 bytes JMP 717a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076cb1401 2 bytes JMP 75bab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076cb1419 2 bytes JMP 75bab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076cb1431 2 bytes JMP 75c29011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076cb144a 2 bytes CALL 75b848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076cb14dd 2 bytes JMP 75c2890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076cb14f5 2 bytes JMP 75c28ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076cb150d 2 bytes JMP 75c28800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076cb1525 2 bytes JMP 75c28bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076cb153d 2 bytes JMP 75b9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076cb1555 2 bytes JMP 75ba6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076cb156d 2 bytes JMP 75c290c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076cb1585 2 bytes JMP 75c28c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076cb159d 2 bytes JMP 75c287c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076cb15b5 2 bytes JMP 75b9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076cb15cd 2 bytes JMP 75bab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076cb16b2 2 bytes JMP 75c28f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076cb16bd 2 bytes JMP 75c28759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2400] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd1a2db0 5 bytes JMP 000007fefd190180 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2400] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd1a3700 7 bytes JMP 000007fefd1900d8 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2400] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1a9140 5 bytes JMP 000007fefd190148 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2400] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd1aa2b0 5 bytes JMP 000007fefd190110 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2400] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 11 bytes JMP 000007fefd190228 .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2400] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeafbee0 7 bytes JMP 000007fefd190260 .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0x13dd64]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xf7c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0xd7674]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0x116d10]} .text C:\Windows\system32\wbem\wmiprvse.exe[2976] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007733d530 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 8 bytes JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 8 bytes JMP 000000006fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000006fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000006fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffe0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f390 5 bytes JMP 000000006fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239ae0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077249570 5 bytes JMP 000000006fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077268890 7 bytes JMP 000000006fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd1a2db0 5 bytes JMP 000007fefd190180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd1a3700 7 bytes JMP 000007fefd1900d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1a9140 5 bytes JMP 000007fefd190148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes [67, 6D, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd1aa2b0 5 bytes JMP 000007fefd190110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef089d0 8 bytes JMP 000007fefd1901f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef0be40 8 bytes JMP 000007fefd1901b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 11 bytes JMP 000007fefd190228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeafbee0 7 bytes JMP 000007fefd190260 .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes [67, 6D, 06] .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\System32\hkcmd.exe[2736] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000006fff0228 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000006fff0180 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffe0 5 bytes JMP 000000006fff01b8 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f390 5 bytes JMP 000000006fff0110 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239ae0 7 bytes JMP 000000006fff00d8 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077249570 5 bytes JMP 000000006fff0148 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077268890 7 bytes JMP 000000006fff01f0 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd1a2db0 5 bytes JMP 000007fefd190180 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd1a3700 7 bytes JMP 000007fefd1900d8 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd1a9140 5 bytes JMP 000007fefd190148 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes [67, 6D, 06] .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd1aa2b0 5 bytes JMP 000007fefd190110 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0x3fdd64]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef089d0 8 bytes JMP 000007fefd1901f0 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef0be40 8 bytes JMP 000007fefd1901b8 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 11 bytes JMP 000007fefd190228 .text C:\Windows\System32\igfxpers.exe[1144] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeafbee0 7 bytes JMP 000007fefd190260 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774efa80 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000774efa84 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000774efbc8 3 bytes JMP 7129000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000774efbcc 2 bytes JMP 7129000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efd50 3 bytes JMP 714a000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000774efd54 2 bytes JMP 714a000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efe04 3 bytes JMP 7135000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000774efe08 2 bytes JMP 7135000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efe68 3 bytes JMP 713b000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000774efe6c 2 bytes JMP 713b000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774eff60 3 bytes JMP 7132000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774eff64 2 bytes JMP 7132000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000774f0014 3 bytes JMP 7162000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000774f0018 2 bytes JMP 7162000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774f0044 3 bytes JMP 713e000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000774f0048 2 bytes JMP 713e000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f00a4 3 bytes JMP 7156000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000774f00a8 2 bytes JMP 7156000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0124 3 bytes JMP 7153000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000774f0128 2 bytes JMP 7153000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f0154 3 bytes JMP 7138000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774f0158 2 bytes JMP 7138000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f0458 3 bytes JMP 7123000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774f045c 2 bytes JMP 7123000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774f0470 3 bytes JMP 7168000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774f0474 2 bytes JMP 7168000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f05f0 3 bytes JMP 716b000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000774f05f4 2 bytes JMP 716b000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0734 3 bytes JMP 7147000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000774f0738 2 bytes JMP 7147000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774f0794 3 bytes JMP 715f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774f0798 2 bytes JMP 715f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000774f083c 3 bytes JMP 7165000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000774f0840 2 bytes JMP 7165000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774f0884 3 bytes JMP 7159000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774f0888 2 bytes JMP 7159000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000774f0914 3 bytes JMP 715c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000774f0918 2 bytes JMP 715c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f092c 3 bytes JMP 712f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000774f0930 2 bytes JMP 712f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f0944 3 bytes JMP 7126000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774f0948 2 bytes JMP 7126000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0e94 3 bytes JMP 7144000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000774f0e98 2 bytes JMP 7144000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0f78 3 bytes JMP 712c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000774f0f7c 2 bytes JMP 712c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1c84 3 bytes JMP 7141000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000774f1c88 2 bytes JMP 7141000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1d54 3 bytes JMP 7150000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000774f1d58 2 bytes JMP 7150000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1e2c 3 bytes JMP 714d000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000774f1e30 2 bytes JMP 714d000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077513d8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075b81f0e 7 bytes JMP 0000000070353c50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075b85bad 7 bytes JMP 0000000070354290 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075b91409 7 bytes JMP 0000000070353ea0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b93bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075b93bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075b99abc 6 bytes JMP 7186000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075b9ea5d 7 bytes JMP 0000000070353c40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075ba3b7a 6 bytes JMP 717d000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075bacce1 6 bytes JMP 7189000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000075bfdcbe 6 bytes JMP 7183000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000075bfdd61 6 bytes JMP 7180000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075c28f8c 7 bytes JMP 00000000703536c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075c29011 5 bytes JMP 0000000070353770 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075c29367 5 bytes JMP 00000000703536d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075fbf897 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fc1e3d 5 bytes JMP 0000000070353680 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fc1eeb 5 bytes JMP 0000000070353640 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fc2bcd 5 bytes JMP 00000000012836f6 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075fc2e0c 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fc2e7f 5 bytes JMP 0000000070353480 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075108a39 5 bytes JMP 0000000070352b20 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007510ee19 6 bytes JMP 716e000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075114582 5 bytes JMP 0000000070353400 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075117613 6 bytes JMP 7171000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007511836c 6 bytes JMP 7174000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007512e587 5 bytes JMP 0000000070353470 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000751508ab 5 bytes JMP 0000000070352960 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075167b24 5 bytes JMP 00000000703533e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000757c58b3 6 bytes JMP 718c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000757c7ba4 6 bytes JMP 7195000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000757cb986 6 bytes JMP 718f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000757cd2b4 5 bytes JMP 0000000070352c60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000757cd4ee 5 bytes JMP 0000000070352c70 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000757cea03 6 bytes JMP 7192000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000760a9698 6 bytes JMP 7177000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000762abae9 6 bytes JMP 717a000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075dc5ea5 5 bytes JMP 0000000070352ae0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075df9ccb 5 bytes JMP 0000000070352a70 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076cb1401 2 bytes JMP 75bab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076cb1419 2 bytes JMP 75bab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076cb1431 2 bytes JMP 75c29011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076cb144a 2 bytes CALL 75b848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076cb14dd 2 bytes JMP 75c2890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076cb14f5 2 bytes JMP 75c28ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076cb150d 2 bytes JMP 75c28800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076cb1525 2 bytes JMP 75c28bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076cb153d 2 bytes JMP 75b9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076cb1555 2 bytes JMP 75ba6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076cb156d 2 bytes JMP 75c290c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076cb1585 2 bytes JMP 75c28c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076cb159d 2 bytes JMP 75c287c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076cb15b5 2 bytes JMP 75b9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076cb15cd 2 bytes JMP 75bab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076cb16b2 2 bytes JMP 75c28f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076cb16bd 2 bytes JMP 75c28759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774efa80 3 bytes JMP 71af000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000774efa84 2 bytes JMP 71af000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000774efbc8 3 bytes JMP 7129000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000774efbcc 2 bytes JMP 7129000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efd50 3 bytes JMP 714a000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000774efd54 2 bytes JMP 714a000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efe04 3 bytes JMP 7135000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000774efe08 2 bytes JMP 7135000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efe68 3 bytes JMP 713b000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000774efe6c 2 bytes JMP 713b000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774eff60 3 bytes JMP 7132000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774eff64 2 bytes JMP 7132000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000774f0014 3 bytes JMP 7162000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000774f0018 2 bytes JMP 7162000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774f0044 3 bytes JMP 713e000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000774f0048 2 bytes JMP 713e000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f00a4 3 bytes JMP 7156000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000774f00a8 2 bytes JMP 7156000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0124 3 bytes JMP 7153000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000774f0128 2 bytes JMP 7153000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f0154 3 bytes JMP 7138000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774f0158 2 bytes JMP 7138000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f0458 3 bytes JMP 7123000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774f045c 2 bytes JMP 7123000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774f0470 3 bytes JMP 7168000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774f0474 2 bytes JMP 7168000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f05f0 3 bytes JMP 716b000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000774f05f4 2 bytes JMP 716b000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0734 3 bytes JMP 7147000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000774f0738 2 bytes JMP 7147000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774f0794 3 bytes JMP 715f000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774f0798 2 bytes JMP 715f000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000774f083c 3 bytes JMP 7165000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000774f0840 2 bytes JMP 7165000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774f0884 3 bytes JMP 7159000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774f0888 2 bytes JMP 7159000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000774f0914 3 bytes JMP 715c000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000774f0918 2 bytes JMP 715c000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f092c 3 bytes JMP 712f000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000774f0930 2 bytes JMP 712f000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f0944 3 bytes JMP 7126000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774f0948 2 bytes JMP 7126000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0e94 3 bytes JMP 7144000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000774f0e98 2 bytes JMP 7144000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0f78 3 bytes JMP 712c000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000774f0f7c 2 bytes JMP 712c000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1c84 3 bytes JMP 7141000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000774f1c88 2 bytes JMP 7141000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1d54 3 bytes JMP 7150000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000774f1d58 2 bytes JMP 7150000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1e2c 3 bytes JMP 714d000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000774f1e30 2 bytes JMP 714d000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077513d8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075b81f0e 7 bytes JMP 0000000070353c50 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075b85bad 7 bytes JMP 0000000070354290 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075b91409 7 bytes JMP 0000000070353ea0 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b93bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075b93bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075b99abc 6 bytes JMP 7186000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075b9ea5d 7 bytes JMP 0000000070353c40 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075ba3b7a 6 bytes JMP 717d000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075bacce1 6 bytes JMP 7189000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000075bfdcbe 6 bytes JMP 7183000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000075bfdd61 6 bytes JMP 7180000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075c28f8c 7 bytes JMP 00000000703536c0 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075c29011 5 bytes JMP 0000000070353770 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075c29367 5 bytes JMP 00000000703536d0 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075fbf897 6 bytes JMP 719f000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fc1e3d 5 bytes JMP 0000000070353680 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fc1eeb 5 bytes JMP 0000000070353640 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fc2bcd 5 bytes JMP 0000000070353780 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075fc2e0c 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fc2e7f 5 bytes JMP 0000000070353480 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000757c58b3 6 bytes JMP 718c000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000757c7ba4 6 bytes JMP 7195000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000757cb986 6 bytes JMP 718f000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000757cd2b4 5 bytes JMP 0000000070352c60 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000757cd4ee 5 bytes JMP 0000000070352c70 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000757cea03 6 bytes JMP 7192000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075108a39 5 bytes JMP 0000000070352b20 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007510ee19 6 bytes JMP 716e000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075114582 5 bytes JMP 0000000070353400 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075117613 6 bytes JMP 7171000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007511836c 6 bytes JMP 7174000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007512e587 5 bytes JMP 0000000070353470 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000751508ab 5 bytes JMP 0000000070352960 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075167b24 5 bytes JMP 00000000703533e0 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000760a9698 6 bytes JMP 7177000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000762abae9 6 bytes JMP 717a000a .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075dc5ea5 5 bytes JMP 0000000070352ae0 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075df9ccb 5 bytes JMP 0000000070352a70 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076cb1401 2 bytes JMP 75bab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076cb1419 2 bytes JMP 75bab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076cb1431 2 bytes JMP 75c29011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076cb144a 2 bytes CALL 75b848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076cb14dd 2 bytes JMP 75c2890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076cb14f5 2 bytes JMP 75c28ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076cb150d 2 bytes JMP 75c28800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076cb1525 2 bytes JMP 75c28bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076cb153d 2 bytes JMP 75b9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076cb1555 2 bytes JMP 75ba6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076cb156d 2 bytes JMP 75c290c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076cb1585 2 bytes JMP 75c28c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076cb159d 2 bytes JMP 75c287c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076cb15b5 2 bytes JMP 75b9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076cb15cd 2 bytes JMP 75bab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076cb16b2 2 bytes JMP 75c28f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NetMeter\NetMeter.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076cb16bd 2 bytes JMP 75c28759 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774efa80 3 bytes JMP 71af000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000774efa84 2 bytes JMP 71af000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000774efbc8 3 bytes JMP 7129000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000774efbcc 2 bytes JMP 7129000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efd50 3 bytes JMP 714a000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000774efd54 2 bytes JMP 714a000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efe04 3 bytes JMP 7135000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000774efe08 2 bytes JMP 7135000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efe68 3 bytes JMP 713b000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000774efe6c 2 bytes JMP 713b000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774eff60 3 bytes JMP 7132000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774eff64 2 bytes JMP 7132000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000774f0014 3 bytes JMP 7162000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000774f0018 2 bytes JMP 7162000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774f0044 3 bytes JMP 713e000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000774f0048 2 bytes JMP 713e000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f00a4 3 bytes JMP 7156000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000774f00a8 2 bytes JMP 7156000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0124 3 bytes JMP 7153000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000774f0128 2 bytes JMP 7153000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f0154 3 bytes JMP 7138000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774f0158 2 bytes JMP 7138000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f0458 3 bytes JMP 7123000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774f045c 2 bytes JMP 7123000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774f0470 3 bytes JMP 7168000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774f0474 2 bytes JMP 7168000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f05f0 3 bytes JMP 716b000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000774f05f4 2 bytes JMP 716b000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0734 3 bytes JMP 7147000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000774f0738 2 bytes JMP 7147000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774f0794 3 bytes JMP 715f000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774f0798 2 bytes JMP 715f000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000774f083c 3 bytes JMP 7165000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000774f0840 2 bytes JMP 7165000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774f0884 3 bytes JMP 7159000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774f0888 2 bytes JMP 7159000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000774f0914 3 bytes JMP 715c000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000774f0918 2 bytes JMP 715c000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f092c 3 bytes JMP 712f000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000774f0930 2 bytes JMP 712f000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f0944 3 bytes JMP 7126000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774f0948 2 bytes JMP 7126000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0e94 3 bytes JMP 7144000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000774f0e98 2 bytes JMP 7144000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0f78 3 bytes JMP 712c000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000774f0f7c 2 bytes JMP 712c000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1c84 3 bytes JMP 7141000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000774f1c88 2 bytes JMP 7141000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1d54 3 bytes JMP 7150000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000774f1d58 2 bytes JMP 7150000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1e2c 3 bytes JMP 714d000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000774f1e30 2 bytes JMP 714d000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077513d8c 6 bytes JMP 71a8000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075b81f0e 7 bytes JMP 0000000070353c50 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075b85bad 7 bytes JMP 0000000070354290 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075b91409 7 bytes JMP 0000000070353ea0 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b93bbb 3 bytes JMP 719c000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075b93bbf 2 bytes JMP 719c000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075b99abc 6 bytes JMP 7186000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075b9ea5d 7 bytes JMP 0000000070353c40 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075ba3b7a 6 bytes JMP 717d000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075bacce1 6 bytes JMP 7189000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000075bfdcbe 6 bytes JMP 7183000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000075bfdd61 6 bytes JMP 7180000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075c28f8c 7 bytes JMP 00000000703536c0 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075c29011 5 bytes JMP 0000000070353770 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075c29367 5 bytes JMP 00000000703536d0 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075fbf897 6 bytes JMP 719f000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fc1e3d 5 bytes JMP 0000000070353680 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fc1eeb 5 bytes JMP 0000000070353640 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fc2bcd 5 bytes JMP 0000000070353780 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075fc2e0c 4 bytes CALL 71ac0000 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fc2e7f 5 bytes JMP 0000000070353480 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\user32.DLL!CreateWindowExW 0000000075108a39 5 bytes JMP 0000000070352b20 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\user32.DLL!SetWinEventHook 000000007510ee19 6 bytes JMP 716e000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\user32.DLL!EnumDisplayDevicesA 0000000075114582 5 bytes JMP 0000000070353400 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000075117613 6 bytes JMP 7171000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 000000007511836c 6 bytes JMP 7174000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\user32.DLL!EnumDisplayDevicesW 000000007512e587 5 bytes JMP 0000000070353470 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\user32.DLL!ChangeDisplaySettingsExW 00000000751508ab 5 bytes JMP 0000000070352960 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\user32.DLL!DisplayConfigGetDeviceInfo 0000000075167b24 5 bytes JMP 00000000703533e0 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000757c58b3 6 bytes JMP 718c000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000757c7ba4 6 bytes JMP 7195000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000757cb986 6 bytes JMP 718f000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000757cd2b4 5 bytes JMP 0000000070352c60 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000757cd4ee 5 bytes JMP 0000000070352c70 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000757cea03 6 bytes JMP 7192000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000760a9698 6 bytes JMP 7177000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000762abae9 6 bytes JMP 717a000a .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075dc5ea5 5 bytes JMP 0000000070352ae0 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075df9ccb 5 bytes JMP 0000000070352a70 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076cb1401 2 bytes JMP 75bab233 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076cb1419 2 bytes JMP 75bab35e C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076cb1431 2 bytes JMP 75c29011 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076cb144a 2 bytes CALL 75b848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076cb14dd 2 bytes JMP 75c2890a C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076cb14f5 2 bytes JMP 75c28ae0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076cb150d 2 bytes JMP 75c28800 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076cb1525 2 bytes JMP 75c28bca C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076cb153d 2 bytes JMP 75b9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076cb1555 2 bytes JMP 75ba6907 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076cb156d 2 bytes JMP 75c290c9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076cb1585 2 bytes JMP 75c28c2a C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076cb159d 2 bytes JMP 75c287c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076cb15b5 2 bytes JMP 75b9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076cb15cd 2 bytes JMP 75bab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076cb16b2 2 bytes JMP 75c28f8c C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1016] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076cb16bd 2 bytes JMP 75c28759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0x13dd64]} .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xf7c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0xd7674]} .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0x116d10]} .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774efa80 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000774efa84 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000774efbc8 3 bytes JMP 7104000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000774efbcc 2 bytes JMP 7104000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efd50 3 bytes JMP 7125000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000774efd54 2 bytes JMP 7125000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efe04 3 bytes JMP 7110000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000774efe08 2 bytes JMP 7110000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efe68 3 bytes JMP 7116000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000774efe6c 2 bytes JMP 7116000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774eff60 3 bytes JMP 710d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774eff64 2 bytes JMP 710d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000774f0014 3 bytes JMP 713d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000774f0018 2 bytes JMP 713d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774f0044 3 bytes JMP 7119000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000774f0048 2 bytes JMP 7119000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f00a4 3 bytes JMP 7131000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000774f00a8 2 bytes JMP 7131000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0124 3 bytes JMP 712e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000774f0128 2 bytes JMP 712e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f0154 3 bytes JMP 7113000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774f0158 2 bytes JMP 7113000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f0458 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774f045c 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774f0470 3 bytes JMP 7143000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774f0474 2 bytes JMP 7143000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f05f0 3 bytes JMP 7146000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000774f05f4 2 bytes JMP 7146000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0734 3 bytes JMP 7122000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000774f0738 2 bytes JMP 7122000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774f0794 3 bytes JMP 713a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774f0798 2 bytes JMP 713a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000774f083c 3 bytes JMP 7140000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000774f0840 2 bytes JMP 7140000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774f0884 3 bytes JMP 7134000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774f0888 2 bytes JMP 7134000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000774f0914 3 bytes JMP 7137000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000774f0918 2 bytes JMP 7137000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f092c 3 bytes JMP 710a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000774f0930 2 bytes JMP 710a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f0944 3 bytes JMP 7101000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 5 00000000774f0949 1 byte [71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0e94 3 bytes JMP 711f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000774f0e98 2 bytes JMP 711f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0f78 3 bytes JMP 7107000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000774f0f7c 2 bytes JMP 7107000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1c84 3 bytes JMP 711c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000774f1c88 2 bytes JMP 711c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1d54 3 bytes JMP 712b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000774f1d58 2 bytes JMP 712b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1e2c 3 bytes JMP 7128000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000774f1e30 2 bytes JMP 7128000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077513d8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075b81f0e 7 bytes JMP 0000000070353c50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075b85bad 7 bytes JMP 0000000070354290 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075b91409 7 bytes JMP 0000000070353ea0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b93bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075b93bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075b99abc 6 bytes JMP 7161000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075b9ea5d 7 bytes JMP 0000000070353c40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075ba3b7a 6 bytes JMP 7158000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075bacce1 6 bytes JMP 7164000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000075bfdcbe 6 bytes JMP 715e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000075bfdd61 6 bytes JMP 715b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075c28f8c 7 bytes JMP 00000000703536c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075c29011 5 bytes JMP 0000000070353770 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075c29367 5 bytes JMP 00000000703536d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075fbf897 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fc1e3d 5 bytes JMP 0000000070353680 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fc1eeb 5 bytes JMP 0000000070353640 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fc2bcd 5 bytes JMP 0000000070353780 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075fc2e0c 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fc2e7f 5 bytes JMP 0000000070353480 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075dc5ea5 5 bytes JMP 0000000070352ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075df9ccb 5 bytes JMP 0000000070352a70 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000757c58b3 6 bytes JMP 7167000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000757c7ba4 6 bytes JMP 7170000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000757cb986 6 bytes JMP 716a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000757cd2b4 5 bytes JMP 0000000070352c60 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000757cd4ee 5 bytes JMP 0000000070352c70 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000757cea03 6 bytes JMP 716d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075108a39 5 bytes JMP 0000000070352b20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007510ee19 6 bytes JMP 7149000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075114582 5 bytes JMP 0000000070353400 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075117613 6 bytes JMP 714c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007511836c 6 bytes JMP 714f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007512e587 5 bytes JMP 0000000070353470 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000751508ab 5 bytes JMP 0000000070352960 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075167b24 5 bytes JMP 00000000703533e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000760a9698 6 bytes JMP 7152000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000762abae9 6 bytes JMP 7155000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076cb1401 2 bytes JMP 75bab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076cb1419 2 bytes JMP 75bab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076cb1431 2 bytes JMP 75c29011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076cb144a 2 bytes CALL 75b848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076cb14dd 2 bytes JMP 75c2890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076cb14f5 2 bytes JMP 75c28ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076cb150d 2 bytes JMP 75c28800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076cb1525 2 bytes JMP 75c28bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076cb153d 2 bytes JMP 75b9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076cb1555 2 bytes JMP 75ba6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076cb156d 2 bytes JMP 75c290c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076cb1585 2 bytes JMP 75c28c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076cb159d 2 bytes JMP 75c287c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076cb15b5 2 bytes JMP 75b9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076cb15cd 2 bytes JMP 75bab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076cb16b2 2 bytes JMP 75c28f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3292] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076cb16bd 2 bytes JMP 75c28759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes [67, 6D, 06] .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes JMP 0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0x407c98]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x3e7674]} .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes JMP 0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3236] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL d8c00 .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 1000100 .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\SearchProtocolHost.exe[3976] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[3272] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\system32\svchost.exe[3272] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\system32\svchost.exe[3272] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077312dc0 6 bytes {JMP QWORD [RIP+0x8d2d270]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007733d4a0 6 bytes {JMP QWORD [RIP+0x8ce2b90]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007733d570 6 bytes {JMP QWORD [RIP+0x9102ac0]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007733d670 6 bytes {JMP QWORD [RIP+0x8fa29c0]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007733d6e0 6 bytes {JMP QWORD [RIP+0x9082950]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007733d720 6 bytes {JMP QWORD [RIP+0x9042910]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007733d7c0 6 bytes {JMP QWORD [RIP+0x90a2870]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007733d830 6 bytes {JMP QWORD [RIP+0x8ea2800]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007733d850 6 bytes {JMP QWORD [RIP+0x90227e0]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007733d890 6 bytes {JMP QWORD [RIP+0x8f227a0]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007733d8e0 6 bytes {JMP QWORD [RIP+0x8f42750]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007733d900 6 bytes {JMP QWORD [RIP+0x9062730]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007733daf0 6 bytes {JMP QWORD [RIP+0x9142540]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007733db00 6 bytes {JMP QWORD [RIP+0x8e62530]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007733dc00 6 bytes {JMP QWORD [RIP+0x8e42430]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007733dcd0 6 bytes {JMP QWORD [RIP+0x8fc2360]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007733dd10 6 bytes {JMP QWORD [RIP+0x8ec2320]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007733dd80 6 bytes {JMP QWORD [RIP+0x8e822b0]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007733ddb0 6 bytes {JMP QWORD [RIP+0x8f02280]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007733de10 6 bytes {JMP QWORD [RIP+0x8ee2220]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007733de20 6 bytes {JMP QWORD [RIP+0x90c2210]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007733de30 6 bytes {JMP QWORD [RIP+0x9122200]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007733e1a0 6 bytes {JMP QWORD [RIP+0x8fe1e90]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007733e230 6 bytes {JMP QWORD [RIP+0x90e1e00]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007733eaa0 6 bytes {JMP QWORD [RIP+0x9001590]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007733eb20 6 bytes {JMP QWORD [RIP+0x8f61510]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007733eba0 6 bytes {JMP QWORD [RIP+0x8f81490]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771e1890 6 bytes {JMP QWORD [RIP+0x8f1e7a0]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771edb80 6 bytes {JMP QWORD [RIP+0x8e724b0]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007725f540 6 bytes {JMP QWORD [RIP+0x8e40af0]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007725f570 6 bytes {JMP QWORD [RIP+0x8e80ac0]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007725f740 6 bytes {JMP QWORD [RIP+0x8e208f0]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077265510 6 bytes {JMP QWORD [RIP+0x8e5ab20]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefd1a92a3 3 bytes CALL 211b00 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1b36f0 5 bytes JMP 30000 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef022cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef08398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef089bc 6 bytes {JMP QWORD [RIP+0x87674]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef09320 6 bytes {JMP QWORD [RIP+0xc6d10]} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefeae7470 6 bytes {JMP QWORD [RIP+0x318bc0]} .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774efa80 3 bytes JMP 71af000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000774efa84 2 bytes JMP 71af000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000774efbc8 3 bytes JMP 712f000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000774efbcc 2 bytes JMP 712f000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efd50 3 bytes JMP 7150000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000774efd54 2 bytes JMP 7150000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efe04 3 bytes JMP 713b000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000774efe08 2 bytes JMP 713b000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efe68 3 bytes JMP 7141000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000774efe6c 2 bytes JMP 7141000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774eff60 3 bytes JMP 7138000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000774eff64 2 bytes JMP 7138000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000774f0014 3 bytes JMP 7168000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000774f0018 2 bytes JMP 7168000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774f0044 3 bytes JMP 7144000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000774f0048 2 bytes JMP 7144000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f00a4 3 bytes JMP 715c000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000774f00a8 2 bytes JMP 715c000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0124 3 bytes JMP 7159000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000774f0128 2 bytes JMP 7159000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f0154 3 bytes JMP 713e000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774f0158 2 bytes JMP 713e000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f0458 3 bytes JMP 7129000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774f045c 2 bytes JMP 7129000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774f0470 3 bytes JMP 716e000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774f0474 2 bytes JMP 716e000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f05f0 3 bytes JMP 7171000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000774f05f4 2 bytes JMP 7171000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0734 3 bytes JMP 714d000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000774f0738 2 bytes JMP 714d000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774f0794 3 bytes JMP 7165000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774f0798 2 bytes JMP 7165000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000774f083c 3 bytes JMP 716b000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000774f0840 2 bytes JMP 716b000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774f0884 3 bytes JMP 715f000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774f0888 2 bytes JMP 715f000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000774f0914 3 bytes JMP 7162000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000774f0918 2 bytes JMP 7162000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f092c 3 bytes JMP 7135000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000774f0930 2 bytes JMP 7135000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f0944 3 bytes JMP 712c000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774f0948 2 bytes JMP 712c000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0e94 3 bytes JMP 714a000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000774f0e98 2 bytes JMP 714a000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0f78 3 bytes JMP 7132000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000774f0f7c 2 bytes JMP 7132000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1c84 3 bytes JMP 7147000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000774f1c88 2 bytes JMP 7147000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1d54 3 bytes JMP 7156000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000774f1d58 2 bytes JMP 7156000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1e2c 3 bytes JMP 7153000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000774f1e30 2 bytes JMP 7153000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077513d8c 6 bytes JMP 71a8000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075b81f0e 7 bytes JMP 0000000070353c50 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075b85bad 7 bytes JMP 0000000070354290 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075b91409 7 bytes JMP 0000000070353ea0 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b93bbb 3 bytes JMP 719c000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075b93bbf 2 bytes JMP 719c000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075b99abc 6 bytes JMP 7186000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075b9ea5d 7 bytes JMP 0000000070353c40 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075ba3b7a 6 bytes JMP 717d000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075bacce1 6 bytes JMP 7189000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000075bfdcbe 6 bytes JMP 7183000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000075bfdd61 6 bytes JMP 7180000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075c28f8c 7 bytes JMP 00000000703536c0 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075c29011 5 bytes JMP 0000000070353770 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075c29367 5 bytes JMP 00000000703536d0 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075fbf897 6 bytes JMP 719f000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fc1e3d 5 bytes JMP 0000000070353680 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fc1eeb 5 bytes JMP 0000000070353640 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fc2bcd 5 bytes JMP 0000000070353780 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075fc2e0c 4 bytes CALL 71ac0000 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fc2e7f 5 bytes JMP 0000000070353480 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007510ee19 6 bytes JMP 7174000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075114582 5 bytes JMP 0000000070353400 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075117613 6 bytes JMP 7177000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007511836c 6 bytes JMP 717a000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007512e587 5 bytes JMP 0000000070353470 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000751508ab 5 bytes JMP 0000000070352960 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075167b24 5 bytes JMP 00000000703533e0 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000757c58b3 6 bytes JMP 718c000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000757c7ba4 6 bytes JMP 7195000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000757cb986 6 bytes JMP 718f000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000757cd2b4 5 bytes JMP 0000000070352c60 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000757cd4ee 5 bytes JMP 0000000070352c70 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000757cea03 6 bytes JMP 7192000a .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076cb1401 2 bytes JMP 75bab233 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076cb1419 2 bytes JMP 75bab35e C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076cb1431 2 bytes JMP 75c29011 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076cb144a 2 bytes CALL 75b848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076cb14dd 2 bytes JMP 75c2890a C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076cb14f5 2 bytes JMP 75c28ae0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076cb150d 2 bytes JMP 75c28800 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076cb1525 2 bytes JMP 75c28bca C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076cb153d 2 bytes JMP 75b9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076cb1555 2 bytes JMP 75ba6907 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076cb156d 2 bytes JMP 75c290c9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076cb1585 2 bytes JMP 75c28c2a C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076cb159d 2 bytes JMP 75c287c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076cb15b5 2 bytes JMP 75b9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076cb15cd 2 bytes JMP 75bab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076cb16b2 2 bytes JMP 75c28f8c C:\Windows\syswow64\kernel32.dll .text C:\Users\Mat\Desktop\9xesggct.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076cb16bd 2 bytes JMP 75c28759 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefede0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] @ C:\Windows\system32\CLBCatQ.DLL[ole32.dll!CoCreateInstance] [7fefede0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1660] @ C:\Windows\system32\OLEACC.dll[ole32.dll!CoCreateInstance] [7fefede0000] IAT C:\Windows\system32\Dwm.exe[2096] @ C:\Windows\system32\WindowsCodecs.dll[ole32.dll!CoCreateInstance] [7fefede0000] IAT C:\Windows\system32\Dwm.exe[2096] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefede0000] IAT C:\Windows\system32\taskeng.exe[2180] @ C:\Windows\system32\taskeng.exe[ole32.dll!CoCreateInstance] [7fefede0000] IAT C:\Windows\system32\taskeng.exe[2180] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefede0000] IAT C:\Windows\system32\taskeng.exe[2180] @ C:\Windows\system32\CLBCatQ.DLL[ole32.dll!CoCreateInstance] [7fefede0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefee80000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] @ C:\Windows\system32\DSOUND.dll[ole32.dll!CoCreateInstance] [7fefee80000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] @ C:\Windows\system32\PROPSYS.dll[ole32.dll!CoCreateInstance] [7fefee80000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] @ C:\Windows\system32\WindowsCodecs.dll[ole32.dll!CoCreateInstance] [7fefee80000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] @ C:\Windows\system32\CLBCatQ.DLL[ole32.dll!CoCreateInstance] [7fefee80000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] @ C:\Windows\system32\AUDIOSES.DLL[ole32.dll!CoCreateInstance] [7fefee80000] IAT C:\Windows\System32\igfxpers.exe[1144] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefede0000] IAT C:\Windows\System32\igfxpers.exe[1144] @ C:\Windows\system32\CLBCatQ.DLL[ole32.dll!CoCreateInstance] [7fefede0000] ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb1ff57fd Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb1ff57fd (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Files - GMER 2.2 ---- File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\7C8939A43D7AAB07EE0F015BCBCC9237171A2230 22891 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\0D775B3502F2B47F24D9C056B6C3F38610C574E5 93626 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\F46274F845CC123082A2AB55D4C23E33382BA415 3622 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\37A11A4E382388C819DB058E155BEE60674D8C5A 2339 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\DD54A760CDA2BB1843FECBDA6F3C614260B8F9CE 6281 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\8190D8512B6A4C70073C10FF369FFBC49E684538 6243 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\CFBF39ACE012D30EEC65649537D25BB08246D194 9164 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\14670782D28ED9846CE66D119DBB54F6D941F0F4 1986 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\658A0E735A52E54CDD98201EFD61BA5310CC69B0 3551 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\4EDAA656AE0BE8776FD81C9A5D3974717C2622DC 3543 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\6A40F7D47BC5853C587B8F7007F809513A03991A 2203 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\CA4820E523B4AA0EBED0DB74D8F236AC83EA08D6 3758 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\D9299249B74D0B496E8CC7975102E5F1A6ABF5E9 24485 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\74B7F8F46CD69A41809DDC9D93D6771DAE6C4DEF 5975 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\C7D491B3670AC6534C0577564D581E241B5BA25F 51426 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\12EF022DCEEA9D41629312E0C6015F7B7146CB8F 1801 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\C2CD6565975337862FD29AC1DF2964C275FE46D4 25723 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\D24FAA088235DE8973FAE0785A52F222D6D180F4 3001 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\4F4288CED96752AFFE2120637113050B44BECB21 1974 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\2040DE9C69875FEA0CB425699FDB6A655F4A9A98 25723 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\5EBDEA5929BB6A34EA44A2EBDD45CAA70957E0C5 6660 bytes File C:\Users\Mat\AppData\Local\Mozilla\Firefox\Profiles\fje22xwn.default\cache2\entries\1D6D9A71BF6E586D574716842389C9CAB7ABB3DD 2090 bytes ---- EOF - GMER 2.2 ----