GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-14 00:02:18 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 ST1000DM005_HD103SJ rev.1AJ10001 931,51GB Running: h9qc9c3b.exe; Driver: C:\Users\admin\AppData\Local\Temp\pxldapow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773ebbe0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773ebde0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773ebbe0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773ebde0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\services.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\services.exe[884] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd8e2930 6 bytes {JMP QWORD [RIP+0x12d700]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000772a6ee0 6 bytes {JMP QWORD [RIP+0x9199150]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000772a8164 6 bytes {JMP QWORD [RIP+0x9277ecc]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SetParent 00000000772a8500 6 bytes {JMP QWORD [RIP+0x91b7b30]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000772a9bb0 6 bytes {JMP QWORD [RIP+0x8f16480]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!PostMessageA 00000000772aa3d8 6 bytes {JMP QWORD [RIP+0x8f55c58]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!EnableWindow 00000000772aaa84 6 bytes {JMP QWORD [RIP+0x92b55ac]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!MoveWindow 00000000772aaab0 6 bytes {JMP QWORD [RIP+0x91d5580]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000772ac6dc 6 bytes {JMP QWORD [RIP+0x9173954]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000772acd20 6 bytes {JMP QWORD [RIP+0x9253310]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000772ad2b4 6 bytes {JMP QWORD [RIP+0x8f92d7c]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SendMessageA 00000000772ad33c 6 bytes {JMP QWORD [RIP+0x8fd2cf4]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000772adc20 6 bytes {JMP QWORD [RIP+0x90b2410]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000772af4f0 6 bytes {JMP QWORD [RIP+0x9290b40]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000772af864 6 bytes {JMP QWORD [RIP+0x8ed07cc]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000772afab0 6 bytes {JMP QWORD [RIP+0x9030580]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000772b0b64 6 bytes {JMP QWORD [RIP+0x8faf4cc]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000772b3380 6 bytes {JMP QWORD [RIP+0x8f2ccb0]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000772b4d3d 5 bytes {JMP QWORD [RIP+0x8eeb2f4]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!GetKeyState 00000000772b4ff0 6 bytes {JMP QWORD [RIP+0x914b040]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000772b5428 6 bytes {JMP QWORD [RIP+0x906ac08]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SendMessageW 00000000772b6b60 6 bytes {JMP QWORD [RIP+0x8fe94d0]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!PostMessageW 00000000772b7724 6 bytes {JMP QWORD [RIP+0x8f6890c]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000772bddcc 6 bytes {JMP QWORD [RIP+0x90e2264]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!GetClipboardData 00000000772be884 6 bytes {JMP QWORD [RIP+0x92217ac]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000772bf7a0 6 bytes {JMP QWORD [RIP+0x91e0890]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000772c28e4 6 bytes {JMP QWORD [RIP+0x907d74c]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!mouse_event 00000000772c38a4 6 bytes {JMP QWORD [RIP+0x8e7c78c]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000772c8a10 6 bytes {JMP QWORD [RIP+0x9117620]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000772c8bd8 6 bytes {JMP QWORD [RIP+0x8ff7458]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000772c8c20 6 bytes {JMP QWORD [RIP+0x8e97410]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SendInput 00000000772c8cd0 6 bytes {JMP QWORD [RIP+0x90f7360]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!BlockInput 00000000772cad50 6 bytes {JMP QWORD [RIP+0x91f52e0]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772f1574 6 bytes {JMP QWORD [RIP+0x928eabc]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!keybd_event 0000000077314650 6 bytes {JMP QWORD [RIP+0x8e0b9e0]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007731cccc 6 bytes {JMP QWORD [RIP+0x9063364]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007731dfbc 6 bytes {JMP QWORD [RIP+0x8fe2074]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Windows\system32\services.exe[884] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 6570975e .text C:\Windows\system32\services.exe[884] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 53006d .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Windows\system32\lsass.exe[900] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP fd216d90 .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 368025ff .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Windows\system32\lsm.exe[908] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd8e2930 6 bytes JMP 6c006c .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 5645 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 310039 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000766b9cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[520] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd8e2930 6 bytes {JMP QWORD [RIP+0x12d700]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 339320 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773ebcb0 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 1 byte JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 2 00000000773ec082 6 bytes {JMP 0xfffffffff8c04090} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 690066 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 1200120 .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP d43 .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Windows\System32\svchost.exe[1088] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 310030 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes JMP 1 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes JMP 1 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes JMP 93b23e1 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes JMP 88180 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes JMP 958d7e8 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes JMP c25aee1 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes JMP ba13ba13 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes JMP 5c0053 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes JMP 93b1e61 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes JMP 11e080 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes JMP 94ffb81 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes JMP 93b1e61 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes JMP 860580 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes JMP 192d80 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes JMP 93b23e1 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes JMP 65480 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes JMP bfe8c009 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes JMP 25658606 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes JMP 1 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes JMP 1 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes JMP 1 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes JMP 1 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes JMP 1 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Windows\System32\svchost.exe[1132] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd8e2930 6 bytes {JMP QWORD [RIP+0x12d700]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 200038 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe608fe4 5 bytes [FF, 25, 4C, 70, D5] .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe822398 6 bytes {JMP QWORD [RIP+0xb5dc98]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x30458c]} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 1200120 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP d43 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 480102 .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x2adca0]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x2c8abc]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x30458c]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x2e3890]} .text C:\Windows\System32\spoolsv.exe[1556] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd8e2930 6 bytes {JMP QWORD [RIP+0x12d700]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1724] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 5D] .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x2adca0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1904] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 5C] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x2adca0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x2c8abc]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x30458c]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 4be24d2e .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x369320]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000766b9cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075639698 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007583bae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000766b9cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\kernel32.dll!CreateThread 0000000076943495 5 bytes JMP 000000000245e290 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000766b9cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075639698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007583bae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[1356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70c7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70c7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70c4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70c4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70b5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70b5000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70c1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70c1000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70b8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70b8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 7106000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 710c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 710c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 7124000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 7103000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7133000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 7115000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 7115000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7130000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 712d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7121000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 7127000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 7127000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 712a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 712a000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 7100000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075639698 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007583bae9 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000072b017fa 2 bytes CALL 769411a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000072b01860 2 bytes CALL 769411a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000072b01942 2 bytes JMP 76826da1 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000072b0194d 2 bytes JMP 7682e8de C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70c7000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70c7000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70c4000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70c4000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70b5000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70b5000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70c1000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70c1000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70b8000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70b8000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 7106000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 710c000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 710c000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 7124000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 7103000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7133000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 7115000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 7115000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7130000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 712d000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7121000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 7127000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 7127000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 712a000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 712a000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 7100000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075639698 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007583bae9 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000766b9cbb 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PSIService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 0 .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP ffffffff .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes JMP 0 .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes JMP 0 .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 0 .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Windows\system32\viakaraokesrv.exe[2068] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 1000100 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x2adca0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 38880000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 4d68636d .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x30458c]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2848] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 5C] .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x2adca0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000772a6ee0 6 bytes {JMP QWORD [RIP+0x9199150]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000772a8164 6 bytes {JMP QWORD [RIP+0x9277ecc]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SetParent 00000000772a8500 6 bytes {JMP QWORD [RIP+0x91b7b30]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000772a9bb0 6 bytes {JMP QWORD [RIP+0x8f16480]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!PostMessageA 00000000772aa3d8 6 bytes {JMP QWORD [RIP+0x8f55c58]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!EnableWindow 00000000772aaa84 6 bytes {JMP QWORD [RIP+0x92b55ac]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!MoveWindow 00000000772aaab0 6 bytes {JMP QWORD [RIP+0x91d5580]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000772ac6dc 6 bytes {JMP QWORD [RIP+0x9173954]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000772acd20 6 bytes {JMP QWORD [RIP+0x9253310]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000772ad2b4 6 bytes {JMP QWORD [RIP+0x8f92d7c]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SendMessageA 00000000772ad33c 6 bytes {JMP QWORD [RIP+0x8fd2cf4]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000772adc20 6 bytes {JMP QWORD [RIP+0x90b2410]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000772af4f0 6 bytes {JMP QWORD [RIP+0x9290b40]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000772af864 6 bytes {JMP QWORD [RIP+0x8ed07cc]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000772afab0 6 bytes {JMP QWORD [RIP+0x9030580]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000772b0b64 6 bytes {JMP QWORD [RIP+0x8faf4cc]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000772b3380 6 bytes {JMP QWORD [RIP+0x8f2ccb0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000772b4d3d 5 bytes {JMP QWORD [RIP+0x8eeb2f4]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!GetKeyState 00000000772b4ff0 6 bytes {JMP QWORD [RIP+0x914b040]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000772b5428 6 bytes {JMP QWORD [RIP+0x906ac08]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SendMessageW 00000000772b6b60 6 bytes {JMP QWORD [RIP+0x8fe94d0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!PostMessageW 00000000772b7724 6 bytes {JMP QWORD [RIP+0x8f6890c]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000772bddcc 6 bytes {JMP QWORD [RIP+0x90e2264]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!GetClipboardData 00000000772be884 6 bytes {JMP QWORD [RIP+0x92217ac]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000772bf7a0 6 bytes {JMP QWORD [RIP+0x91e0890]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000772c28e4 6 bytes {JMP QWORD [RIP+0x907d74c]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!mouse_event 00000000772c38a4 6 bytes {JMP QWORD [RIP+0x8e7c78c]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000772c8a10 6 bytes {JMP QWORD [RIP+0x9117620]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000772c8bd8 6 bytes {JMP QWORD [RIP+0x8ff7458]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000772c8c20 6 bytes {JMP QWORD [RIP+0x8e97410]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SendInput 00000000772c8cd0 6 bytes {JMP QWORD [RIP+0x90f7360]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!BlockInput 00000000772cad50 6 bytes {JMP QWORD [RIP+0x91f52e0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772f1574 6 bytes {JMP QWORD [RIP+0x928eabc]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!keybd_event 0000000077314650 6 bytes {JMP QWORD [RIP+0x8e0b9e0]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007731cccc 6 bytes {JMP QWORD [RIP+0x9063364]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007731dfbc 6 bytes {JMP QWORD [RIP+0x8fe2074]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe608fe4 5 bytes [FF, 25, 4C, 70, D7] .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe822398 6 bytes {JMP QWORD [RIP+0xb3dc98]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 428490 .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2944] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 2d0031 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 620075 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 40a .text C:\Windows\system32\svchost.exe[3860] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 5C] .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x34dca0]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0x2e7e4c]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0x2c781c]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0x3072c4]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x3a458c]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x383890]} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[4068] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 0D] .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x141dca0]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x1478abc]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x14b458c]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x1493890]} .text C:\Windows\WindowsMobile\wmdc.exe[4076] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773ebcb0 8 bytes JMP 000000006fff00d8 .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 0 .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 433d7365 .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 0 .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes JMP 0 .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes JMP 0 .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 0 .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 2427 .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 730077 .text C:\Program Files\iTunes\iTunesHelper.exe[3368] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Windows\system32\svchost.exe[3360] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 339338 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077142bdc 5 bytes JMP 0000000001148c60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075639698 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007583bae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000766b9cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70ad000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70ad000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70da000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70da000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70a7000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70a7000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70b3000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70b3000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70aa000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70aa000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70b0000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70b0000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 7167000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 7152000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 713d000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 70f8000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 7137000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 7131000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 7158000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 714c000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 7116000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 710d000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 710d000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 70f5000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 710a000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 710a000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 714f000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 7149000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 7155000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 713a000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 70fb000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 715b000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7125000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 712b000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7134000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 715e000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 7107000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 7107000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7122000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 711f000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7113000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 7119000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 7119000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 711c000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 711c000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 7101000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 70f2000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 7161000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 7164000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 712e000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 7128000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7104000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7104000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 7110000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 7110000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075639698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007583bae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000766b9cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\SearchIndexer.exe[4192] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 5C] .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x2adca0]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x2c8abc]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x30458c]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x2e3890]} .text C:\Program Files\iPod\bin\iPodService.exe[4268] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x369320]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4424] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Windows\System32\svchost.exe[4632] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 270064 .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 340046 .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 7 .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes JMP 0 .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes JMP 0 .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 0 .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 0 .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Program Files\CCleaner\CCleaner64.exe[4688] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 7090000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 7090000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70b1000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70b1000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 709c000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 709c000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70a2000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70a2000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 7099000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 7099000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70c9000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70c9000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70a5000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70a5000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70bd000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70bd000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70ba000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70ba000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 709f000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 709f000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 708a000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 708a000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 70cf000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 70cf000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 70d2000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 70d2000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70ae000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70ae000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70c6000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70c6000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70cc000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70cc000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70c0000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70c0000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70c3000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70c3000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 7096000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 7096000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 708d000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 708d000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70ab000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70ab000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 7093000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 7093000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70a8000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70a8000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70b7000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70b7000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70b4000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70b4000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7181000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 7178000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 7184000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 717e000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 717b000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 7151000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 7145000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 70db000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 713f000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 7139000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 7157000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 70e1000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 70e1000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 714b000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 70f9000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 70f0000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 70f0000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 70d8000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 70ed000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 70ed000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 714e000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 7148000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 7154000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 7142000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 70de000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 715a000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 712d000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 7133000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 713c000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 715d000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 70ea000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 0000000076b1c83f .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 712a000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 7127000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 70f6000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 7121000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 7121000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 7124000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 7124000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 70e4000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 70d5000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 7160000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 7163000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 7136000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 7130000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 70e7000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 70e7000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 70f3000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 70f3000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 716f000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 7166000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 716c000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 7169000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075639698 6 bytes JMP 7172000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007583bae9 6 bytes JMP 7175000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000766b9cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OscarX7Editor5Mode\OscarX7Editor5Mode\OscarEditor.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70c1000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70c1000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70e2000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70e2000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70cd000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70cd000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70d3000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70d3000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70ca000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70ca000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70fa000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70fa000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70d6000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70d6000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70ee000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70ee000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70eb000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70eb000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70d0000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70d0000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70bb000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70bb000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 7100000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 7100000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 7103000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 7103000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70df000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70df000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70f7000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70f7000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70fd000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70fd000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70f1000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70f1000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70f4000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70f4000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70c7000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70c7000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70be000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70be000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70dc000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70dc000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70c4000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70c4000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70d9000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70d9000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70e8000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70e8000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70e5000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70e5000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 715d000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 7151000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 710c000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 714b000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 7145000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 7163000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 7112000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 7112000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 7157000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 712a000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 7121000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 7121000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 7109000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 711e000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 711e000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 715a000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 7154000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 7160000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 714e000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 710f000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 7166000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7139000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 713f000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7148000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 7169000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 711b000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 711b000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7136000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 7133000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7127000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 712d000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 712d000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 7130000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 7130000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 7115000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 7106000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 716c000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 716f000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 7142000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 713c000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7118000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7118000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 7124000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 7124000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 717b000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 7172000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7178000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 7175000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075639698 6 bytes JMP 70b5000a .text C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[4852] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007583bae9 6 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000766b9cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075639698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007583bae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4964] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000766b9cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075639698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007583bae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70f5000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70f5000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 70fb000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 70fb000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70f8000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70f8000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 7158000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 714c000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 7107000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 7146000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 7140000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 710d000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 710d000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 7152000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 7125000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 711c000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 711c000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 7104000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 7119000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 7119000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 7155000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 714f000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 715b000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 7149000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 710a000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7134000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 713a000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7143000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 7116000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 7116000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7131000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 712e000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7122000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 7128000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 7128000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 712b000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 712b000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 7110000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 7101000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 713d000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 7137000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7113000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7113000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 711f000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 711f000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\shell32.dll!SHFileOperationW 0000000075639698 6 bytes JMP 70b0000a .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[5024] C:\Windows\syswow64\shell32.dll!SHFileOperation 000000007583bae9 6 bytes JMP 70b3000a .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP d14 .text C:\Windows\system32\DllHost.exe[4116] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70ad000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70ad000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70da000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70da000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70a7000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70a7000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70b3000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70b3000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70aa000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70aa000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70b0000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70b0000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 7152000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 713d000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 70f8000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 7137000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 7131000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 7158000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 714c000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 7116000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 710d000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 710d000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 70f5000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 710a000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 710a000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 714f000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 7149000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 7155000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 713a000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 70fb000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 715b000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7125000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 712b000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7134000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 715e000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 7107000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 7107000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7122000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 711f000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7113000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 7119000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 7119000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 711c000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 711c000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 7101000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 70f2000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 7161000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 7164000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 712e000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 7128000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7104000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7104000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 7110000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 7110000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 7167000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000766b9cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075639698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[5064] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007583bae9 6 bytes JMP 717b000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70bf000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70bf000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70e0000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70e0000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70cb000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70cb000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70d1000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70d1000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70c8000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70c8000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70f8000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70f8000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70d4000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70d4000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70ec000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70ec000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70e9000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70e9000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70ce000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70ce000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70b9000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70b9000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 70fe000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 70fe000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 7101000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 5 00000000775a0565 1 byte [71] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70dd000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70dd000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70f5000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70f5000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70fb000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70fb000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70ef000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70ef000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70f2000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70f2000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70c5000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70c5000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70bc000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70bc000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70da000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70da000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70c2000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70c2000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70d7000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70d7000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70e6000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70e6000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70e3000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70e3000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7185000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717c000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 7188000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7182000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 717f000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 715b000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 714f000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 710a000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 7149000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 7143000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 7161000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 7110000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 7110000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 7155000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 7128000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 711f000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 711f000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 7107000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 711c000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 711c000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 7158000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 7152000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 715e000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 714c000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 710d000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 7164000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7137000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 713d000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7146000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 7167000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 7119000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 7119000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7134000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 7131000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7125000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 712b000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 712b000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 712e000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 712e000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 7113000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 7104000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 716a000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 716d000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 7140000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 713a000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7116000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7116000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 7122000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 7122000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718b000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 7179000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 718e000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 7170000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7176000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 7173000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000766b9cbb 6 bytes JMP 7199000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x8c7dec0]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x8c34410]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9474340]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9314240]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x93f41d0]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x93b4190]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x94140f0]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x9214080]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x9394060]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9294020]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x92b3fd0]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x93d3fb0]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x94b3dc0]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x91d3db0]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x91b3cb0]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x9333be0]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x9233ba0]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x91f3b30]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x9273b00]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x9253aa0]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9433a90]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9493a80]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9353710]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9453680]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9372e10]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x92d2d90]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x92f2d10]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x8f6e7d0]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x8ec2440]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x8e90960]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x8ed0930]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x8e70760]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x8eaa910]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes JMP 1000100 .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes {JMP QWORD [RIP+0x339320]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x10dd50]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes {JMP QWORD [RIP+0x12dca0]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes {JMP QWORD [RIP+0x148abc]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0xc7e4c]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0xa781c]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0xe72c4]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes {JMP QWORD [RIP+0x18458c]} .text C:\Windows\servicing\TrustedInstaller.exe[5160] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes {JMP QWORD [RIP+0x163890]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x905dec0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000773ebbf0 6 bytes {JMP QWORD [RIP+0x8d34440]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x9014410]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9c34340]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000773ebd50 6 bytes {JMP QWORD [RIP+0x8d142e0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773ebd60 6 bytes {JMP QWORD [RIP+0x8f742d0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9b24240]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x8f541d0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x8ef4190]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000773ebec0 6 bytes {JMP QWORD [RIP+0x8f94170]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773ebf30 6 bytes {JMP QWORD [RIP+0x8db4100]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x9bd40f0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x8d94080]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x8ed4060]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9aa4020]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x9ac3fd0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x8f33fb0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x8cd3dc0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x8cb3db0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x8cf3cb0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x8e93be0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x8dd3ba0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x8d53b30]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000773ec510 6 bytes {JMP QWORD [RIP+0x8f13b20]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x8e53b00]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x8e13aa0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9bf3a90]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9c53a80]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000773ec610 6 bytes {JMP QWORD [RIP+0x8eb3a20]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9b53710]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9c13680]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773eca10 6 bytes {JMP QWORD [RIP+0x8fd3620]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773eca20 6 bytes {JMP QWORD [RIP+0x8fb3610]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773eca50 6 bytes {JMP QWORD [RIP+0x8df35e0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ecac0 6 bytes {JMP QWORD [RIP+0x8d73570]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ecb10 6 bytes {JMP QWORD [RIP+0x8e33520]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000773ed020 6 bytes {JMP QWORD [RIP+0x8e73010]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9b72e10]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000773ed240 6 bytes {JMP QWORD [RIP+0x8ff2df0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x9ae2d90]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x9b02d10]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000771862c0 6 bytes {JMP QWORD [RIP+0x8e99d70]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x96ee7d0]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 00000000771939f0 6 bytes {JMP QWORD [RIP+0x8eec640]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x9642440]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 0000000077201920 6 bytes {JMP QWORD [RIP+0x8e3e710]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x9610960]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x9650930]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x95f0760]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x962a910]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 0C] .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd429ac1 5 bytes {JMP QWORD [RIP+0xa6570]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefdf9687c 6 bytes {JMP QWORD [RIP+0xf97b4]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefdf98e30 6 bytes {JMP QWORD [RIP+0x177200]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefdf9995c 6 bytes JMP 8336 .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefdf999e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefdf99ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefdf9a51c 6 bytes {JMP QWORD [RIP+0xd5b14]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefdf9a530 6 bytes {JMP QWORD [RIP+0xb5b00]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefdf9a5b0 5 bytes [FF, 25, 80, 5A, 07] .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefdf9a5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefdf9bb28 6 bytes {JMP QWORD [RIP+0x114508]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefdf9bb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[5208] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefdf9bb40 2 bytes [13, 00] .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd8e2930 6 bytes {JMP QWORD [RIP+0x12d700]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x30dd50]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes JMP 6c005f .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0x2a781c]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0x2e72c4]} .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5208] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x905dec0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000773ebbf0 6 bytes {JMP QWORD [RIP+0x8d34440]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x9014410]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9c34340]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000773ebd50 6 bytes {JMP QWORD [RIP+0x8d142e0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773ebd60 6 bytes {JMP QWORD [RIP+0x8f742d0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9b24240]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x8f541d0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x8ef4190]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000773ebec0 6 bytes {JMP QWORD [RIP+0x8f94170]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773ebf30 6 bytes {JMP QWORD [RIP+0x8db4100]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x9bd40f0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x8d94080]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x8ed4060]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9aa4020]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x9ac3fd0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x8f33fb0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x8cd3dc0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x8cb3db0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x8cf3cb0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x8e93be0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x8dd3ba0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x8d53b30]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000773ec510 6 bytes {JMP QWORD [RIP+0x8f13b20]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x8e53b00]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x8e13aa0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9bf3a90]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9c53a80]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000773ec610 6 bytes {JMP QWORD [RIP+0x8eb3a20]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9b53710]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9c13680]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773eca10 6 bytes {JMP QWORD [RIP+0x8fd3620]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773eca20 6 bytes {JMP QWORD [RIP+0x8fb3610]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773eca50 6 bytes {JMP QWORD [RIP+0x8df35e0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ecac0 6 bytes {JMP QWORD [RIP+0x8d73570]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ecb10 6 bytes {JMP QWORD [RIP+0x8e33520]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000773ed020 6 bytes {JMP QWORD [RIP+0x8e73010]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9b72e10]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000773ed240 6 bytes {JMP QWORD [RIP+0x8ff2df0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x9ae2d90]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x9b02d10]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000771862c0 6 bytes {JMP QWORD [RIP+0x8e99d70]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x96ee7d0]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 00000000771939f0 6 bytes {JMP QWORD [RIP+0x8eec640]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x9642440]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 0000000077201920 6 bytes {JMP QWORD [RIP+0x8e3e710]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x9610960]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x9650930]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x95f0760]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x962a910]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 0C] .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd429ac1 5 bytes {JMP QWORD [RIP+0xa6570]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefdf9687c 6 bytes {JMP QWORD [RIP+0xf97b4]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefdf98e30 6 bytes {JMP QWORD [RIP+0x177200]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefdf9995c 6 bytes {JMP QWORD [RIP+0x1566d4]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefdf999e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefdf99ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefdf9a51c 6 bytes {JMP QWORD [RIP+0xd5b14]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefdf9a530 6 bytes {JMP QWORD [RIP+0xb5b00]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefdf9a5b0 5 bytes JMP 1000c .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefdf9a5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefdf9bb28 6 bytes {JMP QWORD [RIP+0x114508]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefdf9bb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefdf9bb40 2 bytes [13, 00] .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd8e2930 6 bytes {JMP QWORD [RIP+0x12d700]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes {JMP QWORD [RIP+0x30dd50]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes {JMP QWORD [RIP+0x2c7e4c]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes {JMP QWORD [RIP+0x2a781c]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes {JMP QWORD [RIP+0x2e72c4]} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773c2170 6 bytes {JMP QWORD [RIP+0x905dec0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000773ebbf0 6 bytes {JMP QWORD [RIP+0x8d34440]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773ebc20 6 bytes {JMP QWORD [RIP+0x9014410]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773ebcf0 6 bytes {JMP QWORD [RIP+0x9c34340]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000773ebd50 6 bytes {JMP QWORD [RIP+0x8d142e0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000773ebd60 6 bytes {JMP QWORD [RIP+0x8f742d0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773ebdf0 6 bytes {JMP QWORD [RIP+0x9b24240]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773ebe60 6 bytes {JMP QWORD [RIP+0x8f541d0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773ebea0 6 bytes {JMP QWORD [RIP+0x8ef4190]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000773ebec0 6 bytes {JMP QWORD [RIP+0x8f94170]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773ebf30 6 bytes {JMP QWORD [RIP+0x8db4100]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773ebf40 6 bytes {JMP QWORD [RIP+0x9bd40f0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ebfb0 6 bytes {JMP QWORD [RIP+0x8d94080]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ebfd0 6 bytes {JMP QWORD [RIP+0x8ed4060]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ec010 6 bytes {JMP QWORD [RIP+0x9aa4020]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ec060 6 bytes {JMP QWORD [RIP+0x9ac3fd0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773ec080 6 bytes {JMP QWORD [RIP+0x8f33fb0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773ec270 6 bytes {JMP QWORD [RIP+0x8cd3dc0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773ec280 6 bytes {JMP QWORD [RIP+0x8cb3db0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ec380 6 bytes {JMP QWORD [RIP+0x8cf3cb0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773ec450 6 bytes {JMP QWORD [RIP+0x8e93be0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ec490 6 bytes {JMP QWORD [RIP+0x8dd3ba0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ec500 6 bytes {JMP QWORD [RIP+0x8d53b30]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000773ec510 6 bytes {JMP QWORD [RIP+0x8f13b20]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773ec530 6 bytes {JMP QWORD [RIP+0x8e53b00]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ec590 6 bytes {JMP QWORD [RIP+0x8e13aa0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773ec5a0 6 bytes {JMP QWORD [RIP+0x9bf3a90]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ec5b0 6 bytes {JMP QWORD [RIP+0x9c53a80]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000773ec610 6 bytes {JMP QWORD [RIP+0x8eb3a20]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ec920 6 bytes {JMP QWORD [RIP+0x9b53710]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773ec9b0 6 bytes {JMP QWORD [RIP+0x9c13680]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773eca10 6 bytes {JMP QWORD [RIP+0x8fd3620]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773eca20 6 bytes {JMP QWORD [RIP+0x8fb3610]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773eca50 6 bytes {JMP QWORD [RIP+0x8df35e0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ecac0 6 bytes {JMP QWORD [RIP+0x8d73570]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ecb10 6 bytes {JMP QWORD [RIP+0x8e33520]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000773ed020 6 bytes {JMP QWORD [RIP+0x8e73010]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ed220 6 bytes {JMP QWORD [RIP+0x9b72e10]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000773ed240 6 bytes {JMP QWORD [RIP+0x8ff2df0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ed2a0 6 bytes {JMP QWORD [RIP+0x9ae2d90]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ed320 6 bytes {JMP QWORD [RIP+0x9b02d10]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000771862c0 6 bytes {JMP QWORD [RIP+0x8e99d70]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077191860 6 bytes {JMP QWORD [RIP+0x96ee7d0]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 00000000771939f0 6 bytes {JMP QWORD [RIP+0x8eec640]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007719dbf0 6 bytes {JMP QWORD [RIP+0x9642440]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 0000000077201920 6 bytes {JMP QWORD [RIP+0x8e3e710]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007720f6d0 6 bytes {JMP QWORD [RIP+0x9610960]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007720f700 6 bytes {JMP QWORD [RIP+0x9650930]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007720f8d0 6 bytes {JMP QWORD [RIP+0x95f0760]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077215720 6 bytes {JMP QWORD [RIP+0x962a910]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd423a50 5 bytes [FF, 25, E0, C5, 0C] .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd429ac1 5 bytes {JMP QWORD [RIP+0xa6570]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd6b6d10 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdf222e0 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdf22390 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdf27574 6 bytes JMP 10005e63 .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdf281e4 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdf28814 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdf28d6c 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdf2baa4 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdf2c7a0 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefdf9687c 6 bytes {JMP QWORD [RIP+0xf97b4]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefdf98e30 6 bytes {JMP QWORD [RIP+0x177200]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefdf9995c 6 bytes {JMP QWORD [RIP+0x1566d4]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefdf999e4 6 bytes JMP 3ac1 .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefdf99ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefdf9a51c 6 bytes {JMP QWORD [RIP+0xd5b14]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefdf9a530 6 bytes {JMP QWORD [RIP+0xb5b00]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefdf9a5b0 5 bytes JMP 30000 .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefdf9a5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefdf9bb28 6 bytes {JMP QWORD [RIP+0x114508]} .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefdf9bb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\DllHost.exe[6436] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefdf9bb40 2 bytes [13, 00] .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007759f9f0 3 bytes JMP 71af000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007759f9f4 2 bytes JMP 71af000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007759fb38 3 bytes JMP 70c1000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007759fb3c 2 bytes JMP 70c1000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007759fcc0 3 bytes JMP 70e2000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007759fcc4 2 bytes JMP 70e2000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fd74 3 bytes JMP 70cd000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007759fd78 2 bytes JMP 70cd000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007759fdd8 3 bytes JMP 70d3000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007759fddc 2 bytes JMP 70d3000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007759fed0 3 bytes JMP 70ca000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007759fed4 2 bytes JMP 70ca000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007759ff84 3 bytes JMP 70fa000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007759ff88 2 bytes JMP 70fa000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007759ffb4 3 bytes JMP 70d6000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007759ffb8 2 bytes JMP 70d6000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775a0014 3 bytes JMP 70ee000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775a0018 2 bytes JMP 70ee000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775a0094 3 bytes JMP 70eb000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775a0098 2 bytes JMP 70eb000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00c4 3 bytes JMP 70d0000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775a00c8 2 bytes JMP 70d0000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775a03c8 3 bytes JMP 70bb000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775a03cc 2 bytes JMP 70bb000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775a03e0 3 bytes JMP 7100000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775a03e4 2 bytes JMP 7100000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775a0560 3 bytes JMP 7103000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775a0564 2 bytes JMP 7103000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775a06a4 3 bytes JMP 70df000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775a06a8 2 bytes JMP 70df000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775a0704 3 bytes JMP 70f7000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775a0708 2 bytes JMP 70f7000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775a07ac 3 bytes JMP 70fd000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775a07b0 2 bytes JMP 70fd000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775a07f4 3 bytes JMP 70f1000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775a07f8 2 bytes JMP 70f1000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775a0884 3 bytes JMP 70f4000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775a0888 2 bytes JMP 70f4000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775a089c 3 bytes JMP 70c7000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775a08a0 2 bytes JMP 70c7000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775a08b4 3 bytes JMP 70be000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775a08b8 2 bytes JMP 70be000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775a0e04 3 bytes JMP 70dc000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775a0e08 2 bytes JMP 70dc000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775a0ee8 3 bytes JMP 70c4000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775a0eec 2 bytes JMP 70c4000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775a1bf4 3 bytes JMP 70d9000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775a1bf8 2 bytes JMP 70d9000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775a1cc4 3 bytes JMP 70e8000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775a1cc8 2 bytes JMP 70e8000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775a1d9c 3 bytes JMP 70e5000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775a1da0 2 bytes JMP 70e5000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775bc0f0 6 bytes JMP 71a8000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076953be3 3 bytes JMP 719c000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076953be7 2 bytes JMP 719c000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076959ae4 6 bytes JMP 7187000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076963baa 6 bytes JMP 717e000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007696cd11 6 bytes JMP 718a000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000769bdda6 6 bytes JMP 7184000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000769bde49 6 bytes JMP 7181000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007713f8a7 6 bytes JMP 719f000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000077142e0b 4 bytes CALL 71ac0000 .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076b08342 6 bytes JMP 715d000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076b08c0f 6 bytes JMP 7151000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076b090e3 6 bytes JMP 710c000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076b09689 6 bytes JMP 714b000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076b097e2 6 bytes JMP 7145000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076b0ee19 6 bytes JMP 7163000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076b0efd9 3 bytes JMP 7112000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076b0efdd 2 bytes JMP 7112000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b112b5 6 bytes JMP 7157000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b1292f 6 bytes JMP 712a000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SetParent 0000000076b12d74 3 bytes JMP 7121000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076b12d78 2 bytes JMP 7121000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076b12db4 6 bytes JMP 7109000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076b136a8 3 bytes JMP 711e000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076b136ac 2 bytes JMP 711e000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b13bba 6 bytes JMP 715a000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076b13c71 6 bytes JMP 7154000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b16120 6 bytes JMP 7160000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b1613e 6 bytes JMP 714e000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b16c40 6 bytes JMP 710f000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b17613 6 bytes JMP 7166000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b17678 6 bytes JMP 7139000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076b176f0 6 bytes JMP 713f000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076b1782f 6 bytes JMP 7148000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b1836c 6 bytes JMP 7169000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076b1c4c6 3 bytes JMP 711b000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076b1c4ca 2 bytes JMP 711b000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076b2c122 6 bytes JMP 7136000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076b2d109 6 bytes JMP 7133000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b2ebb6 6 bytes JMP 7127000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b2ec88 3 bytes JMP 712d000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076b2ec8c 2 bytes JMP 712d000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SendInput 0000000076b2ff6a 3 bytes JMP 7130000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff6e 2 bytes JMP 7130000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b49fdb 6 bytes JMP 7115000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076b5156b 6 bytes JMP 7106000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b60343 6 bytes JMP 716c000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b60387 6 bytes JMP 716f000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076b66dc4 6 bytes JMP 7142000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b66e25 6 bytes JMP 713c000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076b67e9f 3 bytes JMP 7118000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076b67ea3 2 bytes JMP 7118000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b689b3 3 bytes JMP 7124000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076b689b7 2 bytes JMP 7124000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000753f58b3 6 bytes JMP 718d000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000753f5ea5 6 bytes JMP 717b000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000753f7bcc 6 bytes JMP 7196000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000753fb98a 6 bytes JMP 7190000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000753fbd7d 6 bytes JMP 7172000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000753fcf11 6 bytes JMP 7178000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000753fe935 6 bytes JMP 7193000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075424aaa 6 bytes JMP 7175000a .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 7696b263 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 7696b38e C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 769e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 769448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 769e89ea C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 769e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 769e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 769e8caa C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 7695fce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 76966937 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 769e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 769e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 769e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 7695fd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 7696b324 C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 769e906c C:\Windows\syswow64\kernel32.dll .text C:\Users\admin\Desktop\h9qc9c3b.exe[5724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 769e8839 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010c2e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010c2c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010c3614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010c3a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010c386c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa800c6ec2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa800c6ec2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa800c6ec2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 fffffa800c6ec2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa800c6ec2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa800c6ec2c0 Device \FileSystem\Ntfs \Ntfs fffffa800c6f02c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800e2482c0 Device \Driver\cdrom \Device\CdRom0 fffffa800dba12c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800e2482c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{588B3E8B-CC3E-4313-AB5D-BF07BCF1E6CB} fffffa800dd262c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800e2482c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800dd262c0 Device \Driver\atapi \Device\ScsiPort0 fffffa800c6ec2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800e2482c0 Device \Driver\atapi \Device\ScsiPort1 fffffa800c6ec2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa800c6ec2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa800c6ec2c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800c6ec2c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa800c6ec2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800d796790] fffffa800d796790 Trace 3 CLASSPNP.SYS[fffff880015b843f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-3[0xfffffa800d193060] fffffa800d193060 Trace \Driver\atapi[0xfffffa800d16ea60] -> IRP_MJ_CREATE -> 0xfffffa800c6ec2c0 fffffa800c6ec2c0 ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [3024:2412] 000007fef1a87c4c Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [3024:5004] 000007fef192c0d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x36 0x09 0xE6 0x29 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x36 0x09 0xE6 0x29 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\admin\AppData\Local\Logitech\xae Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe 1 ---- Files - GMER 2.2 ---- File C:\Users\admin\AppData\Local\Temp\Rar$DRa0.330\SKANY.\SKM_454e16012515120.pdf 1417578 bytes File C:\Users\admin\AppData\Local\Temp\Rar$DRa0.330\SKANY.\SKM_454e16012515130.pdf 980489 bytes File C:\Users\admin\AppData\Local\Temp\Rar$DRa0.343\SKANY.\SKM_454e16012515120.pdf 1417578 bytes File C:\Users\admin\AppData\Local\Temp\Rar$DRa0.343\SKANY.\SKM_454e16012515130.pdf 980489 bytes File C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\izjou6l6.default-1428857564591\cache2\entries\A79D7161ECFB19450B9F67953C1672F0E962A2BE 318 bytes File C:\FRST 0 bytes File C:\FRST\Hives 0 bytes File C:\FRST\Hives\BCD 28672 bytes File C:\FRST\Hives\default 405504 bytes File C:\FRST\Hives\ERDNT.CON 800 bytes File C:\FRST\Hives\ERDNT.EXE 163328 bytes executable File C:\FRST\Hives\ERDNT.INF 836 bytes File C:\FRST\Hives\ERDNTDOS.LOC 2815 bytes File C:\FRST\Hives\ERDNTWIN.LOC 3275 bytes File C:\FRST\Hives\sam 61440 bytes File C:\FRST\Hives\security 28672 bytes File C:\FRST\Hives\software 96268288 bytes File C:\FRST\Hives\system 23523328 bytes File C:\FRST\Hives\Users 0 bytes File C:\FRST\Hives\Users\00000001 0 bytes File C:\FRST\Hives\Users\00000001\ntuser.dat 6172672 bytes File C:\FRST\Hives\Users\00000002 0 bytes File C:\FRST\Hives\Users\00000002\UsrClass.dat 7344128 bytes File C:\FRST\Logs 0 bytes File C:\FRST\Logs\Addition_13-08-2016_23-52-16.txt 73100 bytes File C:\FRST\Logs\Addition_13-08-2016_23-52-55.txt 73100 bytes File C:\FRST\Logs\FRST_13-08-2016_23-52-16.txt 52147 bytes File C:\FRST\Logs\FRST_13-08-2016_23-52-55.txt 52180 bytes File C:\FRST\Quarantine 0 bytes ---- EOF - GMER 2.2 ----