GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-20 17:37:16 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HGST_HTS541010A9E680 rev.JA0OA560 931,51GB Running: dqg37vc1.exe; Driver: C:\Users\Michal\AppData\Local\Temp\kwtdrpoc.sys ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003fef000 26 bytes [F6, C1, 10, 0F, 85, 26, FE, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 555 fffff80003fef01b 37 bytes {MOV [RSI+0x1a], CL; JMP 0xfffffffffffffe14} ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\services.exe[924] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\services.exe[924] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\services.exe[924] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe686bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\services.exe[924] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\lsass.exe[932] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\lsass.exe[932] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\lsass.exe[932] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes JMP 244560 .text C:\Windows\system32\lsm.exe[940] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\lsm.exe[940] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\lsm.exe[940] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\lsm.exe[940] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\lsm.exe[940] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\lsm.exe[940] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\lsm.exe[940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\lsm.exe[940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\svchost.exe[612] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[612] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\svchost.exe[612] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe686bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[612] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[676] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\nvvsvc.exe[676] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\nvvsvc.exe[676] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\system32\nvvsvc.exe[676] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\nvvsvc.exe[676] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\system32\nvvsvc.exe[676] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\nvvsvc.exe[676] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Windows\system32\nvvsvc.exe[676] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Windows\system32\nvvsvc.exe[676] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe686bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes JMP 6c0064 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076dc1430 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes JMP 8f24720 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes JMP 925eca8 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes JMP 63b0fa9 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes JMP 15e140 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes JMP 2e37c70 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes JMP 2e01140 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes JMP 210140 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes JMP 511d140 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes JMP 80fb140 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes JMP 210140 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes JMP 12b6f0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes JMP 210140 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes JMP 9ade62a .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes JMP 134140 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes JMP 12e6f0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes JMP 80e3c70 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes JMP 80e3c70 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes JMP 5085b40 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes JMP 25757a0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes JMP 81eb3f0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes JMP 80e3c70 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes JMP 63b9c29 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes JMP 270a140 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes JMP d234c18 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes JMP 8166610 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes JMP 12e6f0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes JMP 28d8240 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes JMP 5dfaca8 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes JMP 95ab411 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes JMP 94c0a60 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes JMP 5cc27d1 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes JMP 1016fef .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes JMP 9557da8 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes JMP 4d0022 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes JMP 8 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes JMP 220034 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes JMP 550020 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe686bd0 6 bytes JMP 298160 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Windows\system32\igfxCUIService.exe[1336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\igfxCUIService.exe[1336] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\igfxCUIService.exe[1336] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076b5af40 3 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!RegSetValueExW + 4 0000000076b5af44 3 bytes [F9, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076b64a60 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076b82990 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefce63460 7 bytes JMP 000007fefce300d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce69940 6 bytes JMP 000007fefce30148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefce69fb0 5 bytes JMP 000007fefce30180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce6a150 5 bytes JMP 000007fefce30110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef389e0 8 bytes JMP 000007fefce301f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef3be40 8 bytes JMP 000007fefce301b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 11 bytes JMP 000007fefce30228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefec3bf00 7 bytes JMP 000007fefce30260 .text C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Windows\system32\nvvsvc.exe[1364] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1636] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075b6f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1636] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075b72c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f6fb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f6fb2c 2 bytes [B9, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fcb4 2 bytes [DA, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd68 2 bytes [C5, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdcc 2 bytes [CB, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fec4 2 bytes [C2, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f6ff74 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f6ff78 2 bytes [F2, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ffa8 2 bytes [CE, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f70004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f70008 2 bytes [E6, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70084 3 bytes JMP 70e4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70088 2 bytes JMP 70e4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f700b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f700b8 2 bytes [C8, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f703b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f703bc 2 bytes [B3, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f703d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f703d4 2 bytes [F8, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70554 2 bytes [FB, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70698 2 bytes [D7, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f706f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f706f8 2 bytes [EF, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f7079c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f707a0 2 bytes [F5, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f707e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f707e8 2 bytes JMP 00000000cb84d15d .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f70874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f70878 2 bytes [EC, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70890 2 bytes [BF, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f708a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f708a8 2 bytes [B6, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70df8 2 bytes [D4, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70edc 2 bytes [BC, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71be8 2 bytes [D1, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71cb8 2 bytes [E0, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d90 2 bytes [DD, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075c38b7c 6 bytes {JMP QWORD [RIP+0x7155001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075c38b9a 5 bytes JMP 00000000724729b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075c38e6e 6 bytes {JMP QWORD [RIP+0x7149001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075c3cd35 6 bytes {JMP QWORD [RIP+0x7143001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075c3d0da 6 bytes {JMP QWORD [RIP+0x713d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075c3d277 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075c3d27b 2 bytes [0A, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c3f0e6 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075c40f14 6 bytes {JMP QWORD [RIP+0x714f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075c40f9f 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075c40fa3 2 bytes [04, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075c42902 6 bytes {JMP QWORD [RIP+0x7122001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075c435fb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075c435ff 2 bytes [16, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075c43cbf 6 bytes {JMP QWORD [RIP+0x7152001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075c43d76 6 bytes {JMP QWORD [RIP+0x714c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SetParent 0000000075c43f14 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075c43f18 2 bytes [19, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075c43f54 6 bytes {JMP QWORD [RIP+0x7101001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075c44858 6 bytes {JMP QWORD [RIP+0x711f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075c4492a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075c4492e 2 bytes [25, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075c44c48 5 bytes JMP 0000000072473220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075c46bdc 5 bytes JMP 0000000072473290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c48364 6 bytes {JMP QWORD [RIP+0x7161001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075c4b7e6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075c4b7ea 2 bytes [13, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075c4c991 6 bytes {JMP QWORD [RIP+0x712e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c506b3 6 bytes {JMP QWORD [RIP+0x715e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075c5090f 6 bytes {JMP QWORD [RIP+0x7137001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075c52959 6 bytes {JMP QWORD [RIP+0x712b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075c5eef4 6 bytes {JMP QWORD [RIP+0x7146001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075c5ef4a 6 bytes {JMP QWORD [RIP+0x7158001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075c5f422 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075c5f9b0 6 bytes {JMP QWORD [RIP+0x7107001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075c60f60 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SendInput 0000000075c6195e 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075c61962 2 bytes [28, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075c79f3b 6 bytes {JMP QWORD [RIP+0x710d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075c8092e 5 bytes JMP 0000000072472830 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075c815ef 6 bytes {JMP QWORD [RIP+0x70fe001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075c9040b 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075c9044f 6 bytes {JMP QWORD [RIP+0x7167001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075c96e8c 6 bytes {JMP QWORD [RIP+0x713a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075c96eed 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075c97bec 5 bytes JMP 0000000072473210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075c97f67 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075c97f6b 2 bytes [10, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075c98a7b 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075c98a7f 2 bytes [1C, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074cb58b3 6 bytes {JMP QWORD [RIP+0x718b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074cb5ea6 6 bytes {JMP QWORD [RIP+0x7173001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074cb7bcc 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074cbb895 6 bytes {JMP QWORD [RIP+0x716a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074cbc332 6 bytes {JMP QWORD [RIP+0x7170001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074cbcbfb 6 bytes {JMP QWORD [RIP+0x718e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074cbe743 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000074cce9a2 5 bytes JMP 0000000072472ad0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000074ccebdc 5 bytes JMP 0000000072472ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1748] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074ce4646 6 bytes {JMP QWORD [RIP+0x716d001e]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefce63460 7 bytes JMP 000007fefce300d8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce69940 6 bytes JMP 000007fefce30148 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefce69fb0 5 bytes JMP 000007fefce30180 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce6a150 5 bytes JMP 000007fefce30110 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef389e0 8 bytes JMP 000007fefce301f0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef3be40 8 bytes JMP 000007fefce301b8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef7e7dc88 5 bytes JMP 000007fef7c700d8 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef7e7de10 5 bytes JMP 000007fef7c70110 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes JMP 14ae20 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes JMP 44f043e .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes JMP 69726556 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Windows\System32\spoolsv.exe[1864] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes JMP 6d0061 .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes JMP 1 .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[1908] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\svchost.exe[1908] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe686bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes JMP 288bc0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes JMP ffffffff .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes JMP 80001 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes JMP 1 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes JMP 740061 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes JMP 97fe638 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes JMP ffffffff .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes JMP 200066 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes JMP 98cffc8 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes JMP 997ee90 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes JMP 65006e .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes JMP 2e006d .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes JMP 203e88 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes JMP 610077 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076c77640 6 bytes JMP 74006e .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076c79554 6 bytes JMP 7310003 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SetParent 0000000076c79870 6 bytes JMP 300036 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076c7c044 6 bytes JMP 630069 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!PostMessageA 0000000076c7ca54 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!EnableWindow 0000000076c7d0f0 6 bytes JMP fff6e79b .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!MoveWindow 0000000076c7d120 6 bytes JMP faee2330 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076c7f0c4 6 bytes JMP 32 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076c7f690 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076c7fc50 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SendMessageA 0000000076c7fcd8 6 bytes JMP 65006d .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076c803f0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076c81f30 6 bytes JMP 410041 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076c82294 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076c83464 6 bytes JMP 690077 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076c85c34 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076c871e9 5 bytes JMP 30000007 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!GetKeyState 0000000076c878c0 6 bytes JMP e35a13e0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076c88e28 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076c88f9c 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!PostMessageW 0000000076c892d4 6 bytes JMP 900000ec .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SendMessageW 0000000076c8a800 6 bytes JMP 1 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076c90bf8 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076c91584 6 bytes JMP 6 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076c92360 6 bytes JMP 31f .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076c95508 6 bytes JMP 8 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!mouse_event 0000000076c962c4 6 bytes JMP 31003b .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076c991a0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076c992e0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076c99320 6 bytes JMP 770065 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SendInput 0000000076c993d0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!BlockInput 0000000076c9b430 6 bytes JMP 9824c70 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076cc16e0 6 bytes JMP fd5e2320 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!keybd_event 0000000076ce4474 6 bytes {JMP QWORD [RIP+0x943bbbc]} .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076cecc58 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076cedec8 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefd1d8f6c 6 bytes {JMP QWORD [RIP+0x11670c4]} .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefd3f19b8 6 bytes {JMP QWORD [RIP+0xf2e678]} .text C:\Windows\Explorer.EXE[1932] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes JMP 22302c .text C:\Windows\SysWOW64\esif_uf.exe[1216] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Windows\SysWOW64\esif_uf.exe[1216] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1452] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f6fb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f6fb2c 2 bytes [BA, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fcb4 2 bytes [DB, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd64 3 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd68 2 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fdc8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdcc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fec4 2 bytes [C3, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f6ff74 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f6ff78 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ffa4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ffa8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f70004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f70008 2 bytes [E7, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70084 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70088 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f700b4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f700b8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f703b8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f703bc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f703d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f703d4 2 bytes [F9, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70550 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70554 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70698 2 bytes [D8, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f706f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f706f8 2 bytes [F0, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f7079c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f707a0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f707e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f707e8 2 bytes [EA, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f70874 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f70878 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70890 2 bytes [C0, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f708a4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f708a8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70df8 2 bytes [D5, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70edc 2 bytes [BD, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71be8 2 bytes [D2, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71cb8 2 bytes [E1, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d90 2 bytes [DE, 70] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756b3bdb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000756b3bdf 2 bytes [9B, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000756b9ab4 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000756c3b7a 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000756cccd1 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007571d7e6 5 bytes [FF, 25, 1E, 00, 83] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007571d889 5 bytes [FF, 25, 1E, 00, 80] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075b6f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075b72c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075c38b7c 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075c38e6e 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075c3cd35 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075c3d0da 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075c3d277 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075c3d27b 2 bytes [0B, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c3f0e6 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075c40f14 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075c40f9f 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075c40fa3 2 bytes [05, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075c42902 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075c435fb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075c435ff 2 bytes [17, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075c43cbf 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075c43d76 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SetParent 0000000075c43f14 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075c43f18 2 bytes [1A, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075c43f54 6 bytes {JMP QWORD [RIP+0x7102001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075c44858 6 bytes {JMP QWORD [RIP+0x7120001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075c4492a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075c4492e 2 bytes [26, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c48364 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075c4b7e6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075c4b7ea 2 bytes [14, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075c4c991 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c506b3 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075c5090f 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075c52959 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075c5eef4 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075c5ef4a 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075c5f422 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075c5f9b0 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075c60f60 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SendInput 0000000075c6195e 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075c61962 2 bytes [29, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075c79f3b 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075c815ef 6 bytes {JMP QWORD [RIP+0x70ff001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075c9040b 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075c9044f 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075c96e8c 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075c96eed 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075c97f67 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075c97f6b 2 bytes [11, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075c98a7b 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2056] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075c98a7f 2 bytes [1D, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075b6f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075b71d1b 5 bytes JMP 0000000072473490 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075b71dc9 5 bytes JMP 0000000072473450 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075b72aa4 5 bytes JMP 0000000072473590 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075b72c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075b72d0a 5 bytes JMP 00000000724732a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075c38b7c 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075c38b9a 5 bytes JMP 00000000724729b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075c38e6e 6 bytes {JMP QWORD [RIP+0x714f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075c3cd35 6 bytes {JMP QWORD [RIP+0x7149001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075c3d0da 6 bytes {JMP QWORD [RIP+0x7143001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075c3d277 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075c3d27b 2 bytes [10, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c3f0e6 6 bytes {JMP QWORD [RIP+0x7161001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075c40f14 6 bytes {JMP QWORD [RIP+0x7155001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075c40f9f 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075c40fa3 2 bytes [0A, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075c42902 6 bytes {JMP QWORD [RIP+0x7128001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075c435fb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075c435ff 2 bytes [1C, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075c43cbf 6 bytes {JMP QWORD [RIP+0x7158001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075c43d76 6 bytes {JMP QWORD [RIP+0x7152001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SetParent 0000000075c43f14 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075c43f18 2 bytes [1F, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075c43f54 6 bytes {JMP QWORD [RIP+0x7107001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075c44858 6 bytes {JMP QWORD [RIP+0x7125001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075c4492a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075c4492e 2 bytes [2B, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075c44c48 5 bytes JMP 0000000072473220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075c46bdc 5 bytes JMP 0000000072473290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c48364 6 bytes {JMP QWORD [RIP+0x7167001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075c4b7e6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075c4b7ea 2 bytes [19, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075c4c991 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c506b3 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075c5090f 6 bytes {JMP QWORD [RIP+0x713d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075c52959 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075c5eef4 6 bytes {JMP QWORD [RIP+0x714c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075c5ef4a 6 bytes {JMP QWORD [RIP+0x715e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075c5f422 6 bytes {JMP QWORD [RIP+0x7146001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075c5f9b0 6 bytes {JMP QWORD [RIP+0x710d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075c60f60 6 bytes {JMP QWORD [RIP+0x7137001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SendInput 0000000075c6195e 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075c61962 2 bytes [2E, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075c79f3b 6 bytes {JMP QWORD [RIP+0x7113001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075c8092e 5 bytes JMP 0000000072472830 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075c815ef 6 bytes {JMP QWORD [RIP+0x7104001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075c9040b 6 bytes {JMP QWORD [RIP+0x716a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075c9044f 6 bytes {JMP QWORD [RIP+0x716d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075c96e8c 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075c96eed 6 bytes {JMP QWORD [RIP+0x713a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075c97bec 5 bytes JMP 0000000072473210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075c97f67 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075c97f6b 2 bytes [16, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075c98a7b 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2244] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075c98a7f 2 bytes [22, 71] .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076b5af40 3 bytes JMP 000000006fff0228 .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!RegSetValueExW + 4 0000000076b5af44 3 bytes [F9, CC, CC] .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076b64a60 5 bytes JMP 000000006fff0180 .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076b82990 5 bytes JMP 000000006fff01b8 .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000006fff00d8 .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000006fff0148 .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000006fff01f0 .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefce63460 7 bytes JMP 000007fefce300d8 .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce69940 6 bytes JMP 000007fefce30148 .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefce69fb0 5 bytes JMP 000007fefce30180 .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce6a150 5 bytes JMP 000007fefce30110 .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 11 bytes JMP 000007fefce30228 .text C:\Windows\system32\taskeng.exe[2272] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefec3bf00 7 bytes JMP 000007fefce30260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2492] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f6fb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f6fb2c 2 bytes [B8, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fcb4 2 bytes [D9, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd68 2 bytes [C4, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdcc 2 bytes [CA, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fec4 2 bytes [C1, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f6ff74 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f6ff78 2 bytes [F1, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ffa8 2 bytes [CD, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f70004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f70008 2 bytes [E5, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70084 3 bytes JMP 70e3000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70088 2 bytes JMP 70e3000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f700b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f700b8 2 bytes [C7, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f703b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f703bc 2 bytes [B2, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f703d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f703d4 2 bytes [F7, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70554 2 bytes [FA, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70698 2 bytes [D6, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f706f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f706f8 2 bytes [EE, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f7079c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f707a0 2 bytes [F4, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f707e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f707e8 2 bytes [E8, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f70874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f70878 2 bytes {JMP 0x72} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70890 2 bytes [BE, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f708a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f708a8 2 bytes [B5, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70df8 2 bytes [D3, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70edc 2 bytes [BB, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71be8 2 bytes [D0, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71cb8 2 bytes [DF, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d90 2 bytes [DC, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075b6f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075b71d1b 5 bytes JMP 0000000072473490 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075b71dc9 5 bytes JMP 0000000072473450 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075b72aa4 5 bytes JMP 0000000072473590 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075b72c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075b72d0a 5 bytes JMP 00000000724732a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075c38b7c 6 bytes {JMP QWORD [RIP+0x7154001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075c38b9a 5 bytes JMP 00000000724729b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075c38e6e 6 bytes {JMP QWORD [RIP+0x7148001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075c3cd35 6 bytes {JMP QWORD [RIP+0x7142001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075c3d0da 6 bytes JMP 713d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075c3d277 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075c3d27b 2 bytes [09, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c3f0e6 6 bytes {JMP QWORD [RIP+0x715a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075c40f14 6 bytes {JMP QWORD [RIP+0x714e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075c40f9f 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075c40fa3 2 bytes [03, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075c42902 6 bytes {JMP QWORD [RIP+0x7121001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075c435fb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075c435ff 2 bytes [15, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075c43cbf 6 bytes {JMP QWORD [RIP+0x7151001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075c43d76 6 bytes {JMP QWORD [RIP+0x714b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SetParent 0000000075c43f14 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075c43f18 2 bytes [18, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075c43f54 6 bytes {JMP QWORD [RIP+0x7100001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075c44858 6 bytes {JMP QWORD [RIP+0x711e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075c4492a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075c4492e 2 bytes [24, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075c44c48 5 bytes JMP 0000000072473220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075c46bdc 5 bytes JMP 0000000072473290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c48364 6 bytes {JMP QWORD [RIP+0x7160001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075c4b7e6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075c4b7ea 2 bytes [12, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075c4c991 6 bytes {JMP QWORD [RIP+0x712d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c506b3 6 bytes {JMP QWORD [RIP+0x715d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075c5090f 6 bytes {JMP QWORD [RIP+0x7136001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075c52959 6 bytes {JMP QWORD [RIP+0x712a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075c5eef4 6 bytes {JMP QWORD [RIP+0x7145001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075c5ef4a 6 bytes {JMP QWORD [RIP+0x7157001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075c5f422 6 bytes {JMP QWORD [RIP+0x713f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075c5f9b0 6 bytes {JMP QWORD [RIP+0x7106001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075c60f60 6 bytes {JMP QWORD [RIP+0x7130001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SendInput 0000000075c6195e 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075c61962 2 bytes [27, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075c79f3b 6 bytes {JMP QWORD [RIP+0x710c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075c8092e 5 bytes JMP 0000000072472830 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075c815ef 6 bytes {JMP QWORD [RIP+0x70fd001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075c9040b 6 bytes {JMP QWORD [RIP+0x7163001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075c9044f 6 bytes {JMP QWORD [RIP+0x7166001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075c96e8c 6 bytes {JMP QWORD [RIP+0x7139001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075c96eed 6 bytes {JMP QWORD [RIP+0x7133001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075c97bec 5 bytes JMP 0000000072473210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075c97f67 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075c97f6b 2 bytes [0F, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075c98a7b 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075c98a7f 2 bytes [1B, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074cb58b3 6 bytes {JMP QWORD [RIP+0x718b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074cb5ea6 6 bytes {JMP QWORD [RIP+0x7172001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074cb7bcc 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074cbb895 6 bytes {JMP QWORD [RIP+0x7169001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074cbc332 6 bytes {JMP QWORD [RIP+0x716f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074cbcbfb 6 bytes {JMP QWORD [RIP+0x718e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074cbe743 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000074cce9a2 5 bytes JMP 0000000072472ad0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000074ccebdc 5 bytes JMP 0000000072472ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2508] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074ce4646 6 bytes {JMP QWORD [RIP+0x716c001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f6fb28 3 bytes JMP 70ba000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f6fb2c 2 bytes JMP 70ba000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fcb4 2 bytes [DA, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd64 3 bytes JMP 70c6000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd68 2 bytes JMP 70c6000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fdc8 3 bytes JMP 70cc000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdcc 2 bytes JMP 70cc000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fec4 2 bytes [C2, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f6ff74 3 bytes JMP 70f3000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f6ff78 2 bytes JMP 70f3000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ffa4 3 bytes JMP 70cf000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ffa8 2 bytes JMP 70cf000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f70004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f70008 2 bytes [E6, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70084 3 bytes JMP 70e4000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70088 2 bytes JMP 70e4000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f700b4 3 bytes JMP 70c9000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f700b8 2 bytes JMP 70c9000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f703b8 3 bytes JMP 70b4000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f703bc 2 bytes JMP 70b4000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f703d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f703d4 2 bytes [F8, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70550 3 bytes JMP 70fc000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70554 2 bytes JMP 70fc000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70698 2 bytes [D7, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f706f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f706f8 2 bytes [EF, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f7079c 3 bytes JMP 70f6000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f707a0 2 bytes JMP 70f6000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f707e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f707e8 2 bytes JMP 00000000cb84d15d .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f70874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f70878 2 bytes [EC, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70890 2 bytes [BF, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f708a4 3 bytes JMP 70b7000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f708a8 2 bytes JMP 70b7000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70df8 2 bytes [D4, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70edc 2 bytes [BC, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71be8 2 bytes [D1, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71cb8 2 bytes [E0, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d90 2 bytes [DD, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000756a1f2e 7 bytes JMP 0000000072473990 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000756a5bcd 7 bytes JMP 0000000072473fd0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000756b1429 7 bytes JMP 0000000072473be0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756b3bdb 3 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000756b3bdf 2 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000756b9ab4 6 bytes {JMP QWORD [RIP+0x7185001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000756bea5d 7 bytes JMP 0000000072473980 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000756c3b7a 6 bytes {JMP QWORD [RIP+0x717c001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000756cccd1 6 bytes {JMP QWORD [RIP+0x7188001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007571d7e6 5 bytes [FF, 25, 1E, 00, 82] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007571d889 5 bytes [FF, 25, 1E, 00, 7F] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000757488f4 7 bytes JMP 00000000724734d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075748979 5 bytes JMP 0000000072473580 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075748ccf 5 bytes JMP 00000000724734e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075b6f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075b71d1b 5 bytes JMP 0000000072473490 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075b71dc9 5 bytes JMP 0000000072473450 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075b72aa4 5 bytes JMP 000000000133f046 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075b72c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075b72d0a 5 bytes JMP 00000000724732a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075c38b7c 6 bytes JMP 7156000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075c38b9a 5 bytes JMP 00000000724729b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075c38e6e 6 bytes {JMP QWORD [RIP+0x7149001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075c3cd35 6 bytes {JMP QWORD [RIP+0x7143001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075c3d0da 6 bytes {JMP QWORD [RIP+0x713d001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075c3d277 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075c3d27b 2 bytes [0A, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c3f0e6 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075c40f14 6 bytes {JMP QWORD [RIP+0x714f001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075c40f9f 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075c40fa3 2 bytes [04, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075c42902 6 bytes {JMP QWORD [RIP+0x7122001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075c435fb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075c435ff 2 bytes [16, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075c43cbf 6 bytes {JMP QWORD [RIP+0x7152001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075c43d76 6 bytes {JMP QWORD [RIP+0x714c001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SetParent 0000000075c43f14 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075c43f18 2 bytes [19, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075c43f54 6 bytes {JMP QWORD [RIP+0x7101001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075c44858 6 bytes {JMP QWORD [RIP+0x711f001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075c4492a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075c4492e 2 bytes [25, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075c44c48 5 bytes JMP 0000000072473220 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075c46bdc 5 bytes JMP 0000000072473290 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c48364 6 bytes {JMP QWORD [RIP+0x7161001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075c4b7e6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075c4b7ea 2 bytes [13, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075c4c991 6 bytes {JMP QWORD [RIP+0x712e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c506b3 6 bytes {JMP QWORD [RIP+0x715e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075c5090f 6 bytes {JMP QWORD [RIP+0x7137001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075c52959 6 bytes {JMP QWORD [RIP+0x712b001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075c5eef4 6 bytes {JMP QWORD [RIP+0x7146001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075c5ef4a 6 bytes {JMP QWORD [RIP+0x7158001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075c5f422 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075c5f9b0 6 bytes {JMP QWORD [RIP+0x7107001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075c60f60 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SendInput 0000000075c6195e 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075c61962 2 bytes [28, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075c79f3b 6 bytes {JMP QWORD [RIP+0x710d001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075c8092e 5 bytes JMP 0000000072472830 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075c815ef 6 bytes {JMP QWORD [RIP+0x70fe001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075c9040b 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075c9044f 6 bytes {JMP QWORD [RIP+0x7167001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075c96e8c 6 bytes {JMP QWORD [RIP+0x713a001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075c96eed 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075c97bec 5 bytes JMP 0000000072473210 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075c97f67 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075c97f6b 2 bytes [10, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075c98a7b 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075c98a7f 2 bytes [1C, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074cb58b3 6 bytes JMP 718c000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074cb5ea6 6 bytes {JMP QWORD [RIP+0x7173001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074cb7bcc 6 bytes JMP 7195000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074cbb895 6 bytes {JMP QWORD [RIP+0x716a001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074cbc332 6 bytes {JMP QWORD [RIP+0x7170001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074cbcbfb 6 bytes {JMP QWORD [RIP+0x718e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074cbe743 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000074cce9a2 5 bytes JMP 0000000072472ad0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000074ccebdc 5 bytes JMP 0000000072472ae0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074ce4646 6 bytes {JMP QWORD [RIP+0x716d001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075d896f6 6 bytes {JMP QWORD [RIP+0x7176001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075f8addd 6 bytes {JMP QWORD [RIP+0x7179001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074955ea5 5 bytes JMP 0000000072472970 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2620] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074989d0b 5 bytes JMP 0000000072472900 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f6fb28 3 bytes JMP 70ba000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f6fb2c 2 bytes JMP 70ba000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fcb4 2 bytes [DA, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd68 2 bytes [C5, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdcc 2 bytes [CB, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fec4 2 bytes [C2, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f6ff74 3 bytes JMP 70f3000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f6ff78 2 bytes JMP 70f3000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ffa4 3 bytes JMP 70cf000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ffa8 2 bytes JMP 70cf000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f70004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f70008 2 bytes [E6, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70084 3 bytes JMP 70e4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70088 2 bytes JMP 70e4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f700b4 3 bytes JMP 70c9000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f700b8 2 bytes JMP 70c9000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f703b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f703bc 2 bytes [B3, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f703d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f703d4 2 bytes [F8, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70550 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70554 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70698 2 bytes [D7, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f706f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f706f8 2 bytes [EF, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f7079c 3 bytes JMP 70f6000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f707a0 2 bytes JMP 70f6000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f707e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f707e8 2 bytes JMP 00000000cb84d15d .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f70874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f70878 2 bytes [EC, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70890 2 bytes [BF, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f708a4 3 bytes JMP 70b7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f708a8 2 bytes JMP 70b7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70df8 2 bytes [D4, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70edc 2 bytes [BC, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71be8 2 bytes [D1, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71cb8 2 bytes [E0, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d90 2 bytes [DD, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000756a1f2e 7 bytes JMP 0000000072473990 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000756a5bcd 7 bytes JMP 0000000072473fd0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000756b1429 7 bytes JMP 0000000072473be0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756b3bdb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000756b3bdf 2 bytes [9B, 71] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000756b9ab4 6 bytes {JMP QWORD [RIP+0x7185001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000756bea5d 7 bytes JMP 0000000072473980 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000756c3b7a 6 bytes {JMP QWORD [RIP+0x717c001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000756cccd1 6 bytes {JMP QWORD [RIP+0x7188001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007571d7e6 5 bytes [FF, 25, 1E, 00, 82] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007571d889 5 bytes [FF, 25, 1E, 00, 7F] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000757488f4 7 bytes JMP 00000000724734d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075748979 5 bytes JMP 0000000072473580 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075748ccf 5 bytes JMP 00000000724734e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075b6f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075b71d1b 5 bytes JMP 0000000072473490 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075b71dc9 5 bytes JMP 0000000072473450 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075b72aa4 5 bytes JMP 0000000072473590 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075b72c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075b72d0a 5 bytes JMP 00000000724732a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074cb58b3 6 bytes {JMP QWORD [RIP+0x718b001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074cb5ea6 6 bytes {JMP QWORD [RIP+0x7173001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074cb7bcc 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074cbb895 6 bytes {JMP QWORD [RIP+0x716a001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074cbc332 6 bytes {JMP QWORD [RIP+0x7170001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074cbcbfb 6 bytes {JMP QWORD [RIP+0x718e001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074cbe743 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000074cce9a2 5 bytes JMP 0000000072472ad0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000074ccebdc 5 bytes JMP 0000000072472ae0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074ce4646 6 bytes {JMP QWORD [RIP+0x716d001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075c38b7c 6 bytes {JMP QWORD [RIP+0x7155001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075c38b9a 5 bytes JMP 00000000724729b0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075c38e6e 6 bytes {JMP QWORD [RIP+0x7149001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075c3cd35 6 bytes {JMP QWORD [RIP+0x7143001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075c3d0da 6 bytes JMP 713e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075c3d277 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075c3d27b 2 bytes [0A, 71] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c3f0e6 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075c40f14 6 bytes {JMP QWORD [RIP+0x714f001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075c40f9f 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075c40fa3 2 bytes [04, 71] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075c42902 6 bytes {JMP QWORD [RIP+0x7122001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075c435fb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075c435ff 2 bytes [16, 71] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075c43cbf 6 bytes {JMP QWORD [RIP+0x7152001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075c43d76 6 bytes {JMP QWORD [RIP+0x714c001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SetParent 0000000075c43f14 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075c43f18 2 bytes [19, 71] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075c43f54 6 bytes {JMP QWORD [RIP+0x7101001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075c44858 6 bytes {JMP QWORD [RIP+0x711f001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075c4492a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075c4492e 2 bytes [25, 71] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075c44c48 5 bytes JMP 0000000072473220 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075c46bdc 5 bytes JMP 0000000072473290 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c48364 6 bytes {JMP QWORD [RIP+0x7161001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075c4b7e6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075c4b7ea 2 bytes [13, 71] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075c4c991 6 bytes {JMP QWORD [RIP+0x712e001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c506b3 6 bytes {JMP QWORD [RIP+0x715e001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075c5090f 6 bytes {JMP QWORD [RIP+0x7137001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075c52959 6 bytes {JMP QWORD [RIP+0x712b001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075c5eef4 6 bytes {JMP QWORD [RIP+0x7146001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075c5ef4a 6 bytes {JMP QWORD [RIP+0x7158001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075c5f422 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075c5f9b0 6 bytes {JMP QWORD [RIP+0x7107001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075c60f60 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SendInput 0000000075c6195e 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075c61962 2 bytes [28, 71] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075c79f3b 6 bytes {JMP QWORD [RIP+0x710d001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075c8092e 5 bytes JMP 0000000072472830 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075c815ef 6 bytes {JMP QWORD [RIP+0x70fe001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075c9040b 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075c9044f 6 bytes {JMP QWORD [RIP+0x7167001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075c96e8c 6 bytes {JMP QWORD [RIP+0x713a001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075c96eed 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075c97bec 5 bytes JMP 0000000072473210 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075c97f67 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075c97f6b 2 bytes [10, 71] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075c98a7b 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2676] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075c98a7f 2 bytes [1C, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000756a1f2e 7 bytes JMP 0000000072473990 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000756a5bcd 7 bytes JMP 0000000072473fd0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000756b1429 7 bytes JMP 0000000072473be0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756b3bdb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000756b3bdf 2 bytes [9B, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000756b9ab4 6 bytes {JMP QWORD [RIP+0x7185001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000756bea5d 7 bytes JMP 0000000072473980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000756c3b7a 6 bytes {JMP QWORD [RIP+0x717c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000756cccd1 6 bytes {JMP QWORD [RIP+0x7188001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007571d7e6 5 bytes [FF, 25, 1E, 00, 82] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007571d889 5 bytes [FF, 25, 1E, 00, 7F] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000757488f4 7 bytes JMP 00000000724734d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075748979 5 bytes JMP 0000000072473580 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075748ccf 5 bytes JMP 00000000724734e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075b6f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075b71d1b 5 bytes JMP 0000000072473490 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075b71dc9 5 bytes JMP 0000000072473450 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075b72aa4 5 bytes JMP 0000000072473590 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075b72c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075b72d0a 5 bytes JMP 00000000724732a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075c38b7c 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075c38b9a 5 bytes JMP 00000000724729b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075c38e6e 6 bytes {JMP QWORD [RIP+0x714f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075c3cd35 6 bytes {JMP QWORD [RIP+0x7149001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075c3d0da 6 bytes JMP 7144000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075c3d277 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075c3d27b 2 bytes [10, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c3f0e6 6 bytes {JMP QWORD [RIP+0x7161001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075c40f14 6 bytes {JMP QWORD [RIP+0x7155001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075c40f9f 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075c40fa3 2 bytes [0A, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075c42902 6 bytes {JMP QWORD [RIP+0x7128001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075c435fb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075c435ff 2 bytes [1C, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075c43cbf 6 bytes {JMP QWORD [RIP+0x7158001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075c43d76 6 bytes {JMP QWORD [RIP+0x7152001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SetParent 0000000075c43f14 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075c43f18 2 bytes [1F, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075c43f54 6 bytes {JMP QWORD [RIP+0x7107001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075c44858 6 bytes {JMP QWORD [RIP+0x7125001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075c4492a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075c4492e 2 bytes [2B, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075c44c48 5 bytes JMP 0000000072473220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075c46bdc 5 bytes JMP 0000000072473290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c48364 6 bytes {JMP QWORD [RIP+0x7167001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075c4b7e6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075c4b7ea 2 bytes [19, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075c4c991 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c506b3 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075c5090f 6 bytes {JMP QWORD [RIP+0x713d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075c52959 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075c5eef4 6 bytes {JMP QWORD [RIP+0x714c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075c5ef4a 6 bytes {JMP QWORD [RIP+0x715e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075c5f422 6 bytes {JMP QWORD [RIP+0x7146001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075c5f9b0 6 bytes {JMP QWORD [RIP+0x710d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075c60f60 6 bytes {JMP QWORD [RIP+0x7137001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SendInput 0000000075c6195e 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075c61962 2 bytes [2E, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075c79f3b 6 bytes {JMP QWORD [RIP+0x7113001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075c8092e 5 bytes JMP 0000000072472830 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075c815ef 6 bytes {JMP QWORD [RIP+0x7104001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075c9040b 6 bytes {JMP QWORD [RIP+0x716a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075c9044f 6 bytes {JMP QWORD [RIP+0x716d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075c96e8c 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075c96eed 6 bytes {JMP QWORD [RIP+0x713a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075c97bec 5 bytes JMP 0000000072473210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075c97f67 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075c97f6b 2 bytes [16, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075c98a7b 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075c98a7f 2 bytes [22, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074cb58b3 6 bytes {JMP QWORD [RIP+0x718b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074cb5ea6 6 bytes {JMP QWORD [RIP+0x7179001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074cb7bcc 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074cbb895 6 bytes {JMP QWORD [RIP+0x7170001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074cbc332 6 bytes {JMP QWORD [RIP+0x7176001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074cbcbfb 6 bytes {JMP QWORD [RIP+0x718e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074cbe743 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000074cce9a2 5 bytes JMP 0000000072472ad0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000074ccebdc 5 bytes JMP 0000000072472ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2684] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074ce4646 6 bytes {JMP QWORD [RIP+0x7173001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000756a1f2e 7 bytes JMP 0000000072473990 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000756a5bcd 7 bytes JMP 0000000072473fd0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000756b1429 7 bytes JMP 0000000072473be0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756b3bdb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000756b3bdf 2 bytes [9B, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000756b9ab4 6 bytes {JMP QWORD [RIP+0x7185001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000756bea5d 7 bytes JMP 0000000072473980 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000756c3b7a 6 bytes {JMP QWORD [RIP+0x717c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000756cccd1 6 bytes {JMP QWORD [RIP+0x7188001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007571d7e6 5 bytes [FF, 25, 1E, 00, 82] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007571d889 5 bytes [FF, 25, 1E, 00, 7F] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000757488f4 7 bytes JMP 00000000724734d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075748979 5 bytes JMP 0000000072473580 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075748ccf 5 bytes JMP 00000000724734e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075b6f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075b71d1b 5 bytes JMP 0000000072473490 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075b71dc9 5 bytes JMP 0000000072473450 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075b72aa4 5 bytes JMP 0000000072473590 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075b72c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075b72d0a 5 bytes JMP 00000000724732a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075c38b7c 6 bytes {JMP QWORD [RIP+0x7155001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075c38b9a 5 bytes JMP 00000000724729b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075c38e6e 6 bytes {JMP QWORD [RIP+0x7149001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075c3cd35 6 bytes {JMP QWORD [RIP+0x7143001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075c3d0da 6 bytes JMP 713e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075c3d277 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075c3d27b 2 bytes [0A, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c3f0e6 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075c40f14 6 bytes {JMP QWORD [RIP+0x714f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075c40f9f 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075c40fa3 2 bytes [04, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075c42902 6 bytes {JMP QWORD [RIP+0x7122001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075c435fb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075c435ff 2 bytes [16, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075c43cbf 6 bytes {JMP QWORD [RIP+0x7152001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075c43d76 6 bytes {JMP QWORD [RIP+0x714c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SetParent 0000000075c43f14 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075c43f18 2 bytes [19, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075c43f54 6 bytes {JMP QWORD [RIP+0x7101001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075c44858 6 bytes {JMP QWORD [RIP+0x711f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075c4492a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075c4492e 2 bytes [25, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075c44c48 5 bytes JMP 0000000072473220 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075c46bdc 5 bytes JMP 0000000072473290 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c48364 6 bytes {JMP QWORD [RIP+0x7161001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075c4b7e6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075c4b7ea 2 bytes [13, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075c4c991 6 bytes {JMP QWORD [RIP+0x712e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c506b3 6 bytes {JMP QWORD [RIP+0x715e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075c5090f 6 bytes {JMP QWORD [RIP+0x7137001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075c52959 6 bytes {JMP QWORD [RIP+0x712b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075c5eef4 6 bytes {JMP QWORD [RIP+0x7146001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075c5ef4a 6 bytes {JMP QWORD [RIP+0x7158001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075c5f422 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075c5f9b0 6 bytes {JMP QWORD [RIP+0x7107001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075c60f60 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SendInput 0000000075c6195e 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075c61962 2 bytes [28, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075c79f3b 6 bytes {JMP QWORD [RIP+0x710d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075c8092e 5 bytes JMP 0000000072472830 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075c815ef 6 bytes {JMP QWORD [RIP+0x70fe001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075c9040b 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075c9044f 6 bytes {JMP QWORD [RIP+0x7167001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075c96e8c 6 bytes {JMP QWORD [RIP+0x713a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075c96eed 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075c97bec 5 bytes JMP 0000000072473210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075c97f67 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075c97f6b 2 bytes [10, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075c98a7b 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075c98a7f 2 bytes [1C, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074cb58b3 6 bytes {JMP QWORD [RIP+0x718b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074cb5ea6 6 bytes {JMP QWORD [RIP+0x7173001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074cb7bcc 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074cbb895 6 bytes {JMP QWORD [RIP+0x716a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074cbc332 6 bytes {JMP QWORD [RIP+0x7170001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074cbcbfb 6 bytes {JMP QWORD [RIP+0x718e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074cbe743 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000074cce9a2 5 bytes JMP 0000000072472ad0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000074ccebdc 5 bytes JMP 0000000072472ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2704] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074ce4646 6 bytes {JMP QWORD [RIP+0x716d001e]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076b5af40 3 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!RegSetValueExW + 4 0000000076b5af44 3 bytes [F9, CC, CC] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076b64a60 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076b82990 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefce63460 7 bytes JMP 000007fefce300d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce69940 6 bytes JMP 000007fefce30148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefce69fb0 5 bytes JMP 000007fefce30180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce6a150 5 bytes JMP 000007fefce30110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef389e0 8 bytes JMP 000007fefce301f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef3be40 8 bytes JMP 000007fefce301b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\KERNEL32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes JMP 8f66 .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe[2148] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[2536] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Windows\system32\conhost.exe[2376] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 11 bytes JMP 000007fefce30228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefec3bf00 7 bytes JMP 000007fefce30260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\d3d9.dll!Direct3DCreate9Ex 000007fef55c2460 5 bytes JMP 000007fefce302d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef55f96b0 3 bytes JMP 000007fefce30298 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] C:\Windows\system32\d3d9.dll!Direct3DCreate9 + 4 000007fef55f96b4 2 bytes [07, CC] .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Windows\system32\conhost.exe[2564] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\svchost.exe[2396] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes JMP 790061 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes JMP e5206ee0 .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Windows\system32\SearchIndexer.exe[3400] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3568] C:\Windows\system32\KERNEL32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3568] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3568] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3568] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3568] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3568] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076b5af40 3 bytes JMP 000000006fff0228 .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!RegSetValueExW + 4 0000000076b5af44 3 bytes [F9, CC, CC] .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076b64a60 5 bytes JMP 000000006fff0180 .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076b82990 5 bytes JMP 000000006fff01b8 .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000006fff0110 .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000006fff00d8 .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000006fff0148 .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000006fff01f0 .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefce63460 7 bytes JMP 000007fefce300d8 .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce69940 6 bytes JMP 000007fefce30148 .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefce69fb0 5 bytes JMP 000007fefce30180 .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce6a150 5 bytes JMP 000007fefce30110 .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef389e0 8 bytes JMP 000007fefce301f0 .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef3be40 8 bytes JMP 000007fefce301b8 .text C:\Windows\TEMP\DPTF\esif_assist_64.exe[4000] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076dc1430 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 8 bytes JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\svchost.exe[3888] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\svchost.exe[3888] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\svchost.exe[3888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\svchost.exe[3888] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\svchost.exe[3888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\svchost.exe[3888] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\svchost.exe[3888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[3888] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Windows\System32\WUDFHost.exe[3732] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4060] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4060] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4060] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4060] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4060] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4060] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4060] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4060] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4060] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes JMP b13de799 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076b5af40 3 bytes JMP 000000006fff0228 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!RegSetValueExW + 4 0000000076b5af44 3 bytes [F9, CC, CC] .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076b64a60 5 bytes JMP 000000006fff0180 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076b82990 5 bytes JMP 000000006fff01b8 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000006fff00d8 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000006fff0148 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000006fff01f0 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefce63460 7 bytes JMP 000007fefce300d8 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce69940 6 bytes JMP 000007fefce30148 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefce69fb0 5 bytes JMP 000007fefce30180 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce6a150 5 bytes JMP 000007fefce30110 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef389e0 8 bytes JMP 000007fefce301f0 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef3be40 8 bytes JMP 000007fefce301b8 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes JMP 10a80 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 11 bytes JMP 000007fefce30228 .text C:\Windows\system32\igfxEM.exe[4104] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefec3bf00 7 bytes JMP 000007fefce30260 .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\System32\svchost.exe[4348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\System32\svchost.exe[4348] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\System32\svchost.exe[4348] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes JMP 288b90 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076b5af40 3 bytes JMP 000000006fff0228 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!RegSetValueExW + 4 0000000076b5af44 3 bytes [F9, CC, CC] .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076b64a60 5 bytes JMP 000000006fff0180 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076b82990 5 bytes JMP 000000006fff01b8 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000006fff00d8 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000006fff0148 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000006fff01f0 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefce63460 7 bytes JMP 000007fefce300d8 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce69940 6 bytes JMP 000007fefce30148 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefce69fb0 5 bytes JMP 000007fefce30180 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce6a150 5 bytes JMP 000007fefce30110 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes JMP be5c1286 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef389e0 8 bytes JMP 000007fefce301f0 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes JMP 0 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef3be40 8 bytes JMP 000007fefce301b8 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes JMP 0 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 11 bytes JMP 000007fefce30228 .text C:\Windows\system32\igfxHK.exe[4544] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefec3bf00 7 bytes JMP 000007fefce30260 .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes JMP 0 .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes JMP 9b9 .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Windows\system32\igfxTray.exe[4640] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes {JMP QWORD [RIP+0x288ba0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes JMP 1000100 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes JMP 238 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5276] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f6fb28 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f6fb2c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fcb0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fcb4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd64 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd68 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fdc8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdcc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fec0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fec4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f6ff74 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f6ff78 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ffa4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ffa8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f70004 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f70008 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70084 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70088 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f700b4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f700b8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f703b8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f703bc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f703d0 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f703d4 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70550 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70554 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70694 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70698 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f706f4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f706f8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f7079c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f707a0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f707e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f707e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f70874 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f70878 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7088c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70890 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f708a4 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f708a8 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70df4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70df8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70ed8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70edc 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71be4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71be8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71cb4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71cb8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d8c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d90 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756b3bdb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000756b3bdf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000756b9ab4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000756c3b7a 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000756cccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007571d7e6 5 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007571d889 5 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075b6f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075b72c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075c38b7c 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075c38e6e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075c3cd35 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075c3d0da 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075c3d277 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075c3d27b 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c3f0e6 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075c40f14 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075c40f9f 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075c40fa3 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075c42902 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075c435fb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075c435ff 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075c43cbf 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075c43d76 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SetParent 0000000075c43f14 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075c43f18 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075c43f54 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075c44858 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075c4492a 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075c4492e 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c48364 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075c4b7e6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075c4b7ea 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075c4c991 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c506b3 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075c5090f 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075c52959 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075c5eef4 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075c5ef4a 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075c5f422 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075c5f9b0 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075c60f60 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SendInput 0000000075c6195e 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075c61962 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075c79f3b 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075c815ef 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075c9040b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075c9044f 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075c96e8c 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075c96eed 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075c97f67 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075c97f6b 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075c98a7b 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075c98a7f 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074cb58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074cb5ea6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074cb7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074cbb895 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074cbc332 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074cbcbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074cbe743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074ce4646 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074989d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751a1465 2 bytes [1A, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751a14bb 2 bytes [1A, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f6fb28 3 bytes JMP 70a7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f6fb2c 2 bytes JMP 70a7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fcb0 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fcb4 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd64 3 bytes JMP 70b3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd68 2 bytes JMP 70b3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fdc8 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdcc 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fec0 3 bytes JMP 70b0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fec4 2 bytes JMP 70b0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f6ff74 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f6ff78 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ffa4 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ffa8 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f70004 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f70008 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70084 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70088 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f700b4 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f700b8 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f703b8 3 bytes JMP 70a1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f703bc 2 bytes JMP 70a1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f703d0 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f703d4 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70550 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70554 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70694 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70698 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f706f4 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f706f8 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f7079c 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f707a0 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f707e4 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f707e8 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f70874 3 bytes JMP 70da000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f70878 2 bytes JMP 70da000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7088c 3 bytes JMP 70ad000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70890 2 bytes JMP 70ad000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f708a4 3 bytes JMP 70a4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f708a8 2 bytes JMP 70a4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70df4 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70df8 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70ed8 3 bytes JMP 70aa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70edc 2 bytes JMP 70aa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71be4 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71be8 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71cb4 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71cb8 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d8c 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d90 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756b3bdb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000756b3bdf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000756b9ab4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000756c3b7a 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000756cccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007571d7e6 5 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007571d889 5 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075b6f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075b72c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075c38b7c 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075c38e6e 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075c3cd35 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075c3d0da 6 bytes JMP 712b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075c3d277 3 bytes JMP 70f8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075c3d27b 2 bytes JMP 70f8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c3f0e6 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075c40f14 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075c40f9f 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075c40fa3 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075c42902 6 bytes JMP 7110000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075c435fb 3 bytes JMP 7104000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075c435ff 2 bytes JMP 7104000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075c43cbf 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075c43d76 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SetParent 0000000075c43f14 3 bytes JMP 7107000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075c43f18 2 bytes JMP 7107000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075c43f54 6 bytes JMP 70ef000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075c44858 6 bytes JMP 710d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075c4492a 3 bytes JMP 7113000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075c4492e 2 bytes JMP 7113000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c48364 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075c4b7e6 3 bytes JMP 7101000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 5 0000000075c4b7eb 1 byte [71] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075c4c991 6 bytes JMP 711c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c506b3 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075c5090f 6 bytes JMP 7125000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075c52959 6 bytes JMP 7119000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075c5eef4 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075c5ef4a 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075c5f422 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075c5f9b0 6 bytes JMP 70f5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075c60f60 6 bytes JMP 711f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SendInput 0000000075c6195e 3 bytes JMP 7116000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075c61962 2 bytes JMP 7116000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075c79f3b 6 bytes JMP 70fb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075c815ef 6 bytes JMP 70ec000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075c9040b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075c9044f 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075c96e8c 6 bytes JMP 7128000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075c96eed 6 bytes JMP 7122000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075c97f67 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075c97f6b 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075c98a7b 3 bytes JMP 710a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075c98a7f 2 bytes JMP 710a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074cb58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074cb5ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074cb7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074cbb895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074cbc332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074cbcbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074cbe743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074ce4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074989d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075d896f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075f8addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751a1465 2 bytes [1A, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751a14bb 2 bytes [1A, 75] .text ... * 2 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076b5af40 3 bytes JMP 000000006fff0228 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!RegSetValueExW + 4 0000000076b5af44 3 bytes [F9, CC, CC] .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076b64a60 5 bytes JMP 000000006fff0180 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076b82990 5 bytes JMP 000000006fff01b8 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000006fff00d8 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000006fff0148 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000006fff01f0 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefce63460 7 bytes JMP 000007fefce300d8 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce69940 6 bytes JMP 000007fefce30148 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefce69fb0 5 bytes JMP 000007fefce30180 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce6a150 5 bytes JMP 000007fefce30110 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes JMP 0 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes JMP 0 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes JMP 226fc0 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes JMP 0 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes JMP 0 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef389e0 8 bytes JMP 000007fefce301f0 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes JMP 94000069 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes JMP 105 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef3be40 8 bytes JMP 000007fefce301b8 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes JMP 20000001 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 11 bytes JMP 000007fefce30228 .text C:\Windows\system32\perfmon.exe[1196] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefec3bf00 7 bytes JMP 000007fefce30260 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076b5af40 3 bytes JMP 000000006fff0228 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!RegSetValueExW + 4 0000000076b5af44 3 bytes [F9, CC, CC] .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076b64a60 5 bytes JMP 000000006fff0180 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076b82990 5 bytes JMP 000000006fff01b8 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076b8efe0 5 bytes JMP 000000006fff0110 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076bb99b0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076bc94d0 5 bytes JMP 000000006fff0148 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076bea500 7 bytes JMP 000000006fff01f0 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefce63460 7 bytes JMP 000007fefce300d8 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce69940 6 bytes JMP 000007fefce30148 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes CALL 5b000038 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefce69fb0 5 bytes JMP 000007fefce30180 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce6a150 5 bytes JMP 000007fefce30110 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefef389e0 8 bytes JMP 000007fefce301f0 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes {JMP QWORD [RIP+0x254648]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefef3be40 8 bytes JMP 000007fefce301b8 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefd1d8f6c 6 bytes {JMP QWORD [RIP+0x12270c4]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefd3f19b8 6 bytes {JMP QWORD [RIP+0xfee678]} .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 11 bytes JMP 000007fefce30228 .text C:\Program Files\CCleaner\CCleaner64.exe[5980] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefec3bf00 7 bytes JMP 000007fefce30260 .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes JMP 2d006e .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1320] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes JMP 0 .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076dc13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076dc1470 6 bytes {JMP QWORD [RIP+0x9a9ebc0]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 6 bytes {JMP QWORD [RIP+0x993eac0]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076dc15e0 6 bytes {JMP QWORD [RIP+0x9a1ea50]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 6 bytes {JMP QWORD [RIP+0x99dea10]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076dc16c0 6 bytes {JMP QWORD [RIP+0x9a3e970]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 6 bytes {JMP QWORD [RIP+0x983e900]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 6 bytes {JMP QWORD [RIP+0x99be8e0]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 6 bytes {JMP QWORD [RIP+0x98be8a0]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 6 bytes {JMP QWORD [RIP+0x98de850]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076dc1800 6 bytes {JMP QWORD [RIP+0x99fe830]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076dc19f0 6 bytes {JMP QWORD [RIP+0x9ade640]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076dc1a00 6 bytes {JMP QWORD [RIP+0x97fe630]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 6 bytes {JMP QWORD [RIP+0x97de530]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076dc1bd0 6 bytes {JMP QWORD [RIP+0x995e460]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 6 bytes {JMP QWORD [RIP+0x985e420]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 6 bytes {JMP QWORD [RIP+0x981e3b0]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076dc1cb0 6 bytes {JMP QWORD [RIP+0x989e380]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 6 bytes {JMP QWORD [RIP+0x987e320]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076dc1d20 6 bytes {JMP QWORD [RIP+0x9a5e310]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 6 bytes {JMP QWORD [RIP+0x9abe300]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 6 bytes {JMP QWORD [RIP+0x997df90]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dc2130 6 bytes {JMP QWORD [RIP+0x9a7df00]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 6 bytes {JMP QWORD [RIP+0x999d690]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 6 bytes {JMP QWORD [RIP+0x98fd610]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 6 bytes {JMP QWORD [RIP+0x991d590]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b623d0 6 bytes {JMP QWORD [RIP+0x959dc60]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b6e750 6 bytes {JMP QWORD [RIP+0x94f18e0]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bdf6c0 6 bytes {JMP QWORD [RIP+0x94c0970]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bdf6f0 6 bytes {JMP QWORD [RIP+0x9500940]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bdf8c0 6 bytes {JMP QWORD [RIP+0x94a0770]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076be5690 6 bytes {JMP QWORD [RIP+0x94da9a0]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce69aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefce75290 5 bytes [FF, 25, A0, AD, 14] .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefef322cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\GDI32.dll!BitBlt 000007fefef324c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefef35be0 6 bytes {JMP QWORD [RIP+0x21a450]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefef38398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefef389c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\GDI32.dll!GetPixel 000007fefef39344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefef3b9e8 6 bytes JMP 3c003a .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefef45410 6 bytes {JMP QWORD [RIP+0x22ac20]} .text C:\Windows\system32\SearchProtocolHost.exe[6000] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefec27490 6 bytes JMP 0 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f6f9e0 3 bytes JMP 71af000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f6f9e4 2 bytes JMP 71af000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f6fb28 3 bytes JMP 70c0000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f6fb2c 2 bytes JMP 70c0000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fcb0 3 bytes JMP 70e1000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f6fcb4 2 bytes JMP 70e1000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f6fd64 3 bytes JMP 70cc000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f6fd68 2 bytes JMP 70cc000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f6fdc8 3 bytes JMP 70d2000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f6fdcc 2 bytes JMP 70d2000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f6fec0 3 bytes JMP 70c9000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f6fec4 2 bytes JMP 70c9000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f6ff74 3 bytes JMP 70f9000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f6ff78 2 bytes JMP 70f9000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f6ffa4 3 bytes JMP 70d5000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f6ffa8 2 bytes JMP 70d5000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f70004 3 bytes JMP 70ed000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f70008 2 bytes JMP 70ed000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f70084 3 bytes JMP 70ea000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f70088 2 bytes JMP 00000000cb84c9fd .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f700b4 3 bytes JMP 70cf000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f700b8 2 bytes JMP 70cf000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f703b8 3 bytes JMP 70ba000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f703bc 2 bytes JMP 70ba000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f703d0 3 bytes JMP 70ff000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f703d4 2 bytes JMP 70ff000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f70550 3 bytes JMP 7102000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f70554 2 bytes JMP 7102000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f70694 3 bytes JMP 70de000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f70698 2 bytes JMP 70de000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f706f4 3 bytes JMP 70f6000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f706f8 2 bytes JMP 70f6000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f7079c 3 bytes JMP 70fc000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f707a0 2 bytes JMP 70fc000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f707e4 3 bytes JMP 70f0000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f707e8 2 bytes JMP 70f0000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f70874 3 bytes JMP 70f3000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f70878 2 bytes JMP 70f3000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f7088c 3 bytes JMP 70c6000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f70890 2 bytes JMP 70c6000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f708a4 3 bytes JMP 70bd000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f708a8 2 bytes JMP 70bd000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f70df4 3 bytes JMP 70db000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f70df8 2 bytes JMP 70db000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f70ed8 3 bytes JMP 70c3000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f70edc 2 bytes JMP 70c3000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f71be4 3 bytes JMP 70d8000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f71be8 2 bytes JMP 70d8000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f71cb4 3 bytes JMP 70e7000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f71cb8 2 bytes JMP 70e7000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f71d8c 3 bytes JMP 70e4000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f71d90 2 bytes JMP 70e4000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91287 6 bytes JMP 71a8000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000756a1f2e 7 bytes JMP 0000000072473990 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000756a5bcd 7 bytes JMP 0000000072473fd0 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000756b1429 7 bytes JMP 0000000072473be0 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756b3bdb 3 bytes JMP 719c000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000756b3bdf 2 bytes JMP 719c000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000756b9ab4 6 bytes JMP 7186000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000756bea5d 7 bytes JMP 0000000072473980 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000756c3b7a 6 bytes JMP 717d000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000756cccd1 6 bytes JMP 7189000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007571d7e6 5 bytes JMP 7183000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007571d889 5 bytes JMP 7180000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000757488f4 7 bytes JMP 00000000724734d0 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075748979 5 bytes JMP 0000000072473580 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075748ccf 5 bytes JMP 00000000724734e0 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075b6f776 6 bytes JMP 719f000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075b71d1b 5 bytes JMP 0000000072473490 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075b71dc9 5 bytes JMP 0000000072473450 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075b72aa4 5 bytes JMP 0000000072473590 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075b72c91 4 bytes CALL 71ac0000 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075b72d0a 5 bytes JMP 00000000724732a0 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075c38b7c 6 bytes JMP 715c000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075c38b9a 5 bytes JMP 00000000724729b0 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075c38e6e 6 bytes JMP 7150000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075c3cd35 6 bytes JMP 714a000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075c3d0da 6 bytes JMP 7144000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075c3d277 3 bytes JMP 7111000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075c3d27b 2 bytes JMP 7111000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c3f0e6 6 bytes JMP 7162000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075c40f14 6 bytes JMP 7156000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075c40f9f 3 bytes JMP 710b000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075c40fa3 2 bytes JMP 710b000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075c42902 6 bytes JMP 7129000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075c435fb 3 bytes JMP 711d000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075c435ff 2 bytes JMP 711d000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075c43cbf 6 bytes JMP 7159000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075c43d76 6 bytes JMP 7153000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SetParent 0000000075c43f14 3 bytes JMP 7120000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075c43f18 2 bytes JMP 7120000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075c43f54 6 bytes JMP 7108000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075c44858 6 bytes JMP 7126000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075c4492a 3 bytes JMP 712c000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075c4492e 2 bytes JMP 712c000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075c44c48 5 bytes JMP 0000000072473220 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075c46bdc 5 bytes JMP 0000000072473290 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c48364 6 bytes JMP 7168000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075c4b7e6 3 bytes JMP 711a000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075c4b7ea 2 bytes JMP 711a000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075c4c991 6 bytes JMP 7135000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c506b3 6 bytes JMP 7165000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075c5090f 6 bytes JMP 713e000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075c52959 6 bytes JMP 7132000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075c5eef4 6 bytes JMP 714d000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075c5ef4a 6 bytes JMP 715f000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075c5f422 6 bytes JMP 7147000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075c5f9b0 6 bytes JMP 710e000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075c60f60 6 bytes JMP 7138000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SendInput 0000000075c6195e 3 bytes JMP 712f000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075c61962 2 bytes JMP 712f000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075c79f3b 6 bytes JMP 7114000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075c8092e 5 bytes JMP 0000000072472830 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075c815ef 6 bytes JMP 7105000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075c9040b 6 bytes JMP 716b000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075c9044f 6 bytes JMP 716e000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075c96e8c 6 bytes JMP 7141000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075c96eed 6 bytes JMP 713b000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075c97bec 5 bytes JMP 0000000072473210 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075c97f67 3 bytes JMP 7117000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075c97f6b 2 bytes JMP 7117000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075c98a7b 3 bytes JMP 7123000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075c98a7f 2 bytes JMP 7123000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074cb58b3 6 bytes JMP 718c000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074cb5ea6 6 bytes JMP 717a000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074cb7bcc 6 bytes JMP 7195000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074cbb895 6 bytes JMP 7171000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074cbc332 6 bytes JMP 7177000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074cbcbfb 6 bytes JMP 718f000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074cbe743 6 bytes JMP 7192000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000074cce9a2 5 bytes JMP 0000000072472ad0 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000074ccebdc 5 bytes JMP 0000000072472ae0 .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074ce4646 6 bytes JMP 7174000a .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751a1465 2 bytes [1A, 75] .text C:\Users\Michal\Desktop\ff\dqg37vc1.exe[4516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751a14bb 2 bytes [1A, 75] .text ... * 2 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Windows\system32\Dwm.exe[1812] @ C:\Windows\system32\WindowsCodecs.dll[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Windows\system32\Dwm.exe[1812] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Windows\system32\taskeng.exe[2272] @ C:\Windows\system32\taskeng.exe[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Windows\system32\taskeng.exe[2272] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3068] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2268] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Windows\system32\igfxEM.exe[4104] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Windows\system32\igfxEM.exe[4104] @ C:\Windows\system32\CLBCatQ.DLL[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Windows\system32\igfxHK.exe[4544] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Windows\system32\igfxHK.exe[4544] @ C:\Windows\system32\CLBCatQ.DLL[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Windows\system32\perfmon.exe[1196] @ C:\Windows\system32\perfmon.exe[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Windows\system32\perfmon.exe[1196] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Windows\system32\perfmon.exe[1196] @ C:\Windows\system32\CLBCatQ.DLL[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Windows\system32\perfmon.exe[1196] @ C:\Windows\System32\pdhui.dll[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Windows\system32\perfmon.exe[1196] @ C:\Windows\system32\OLEACC.dll[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Program Files\CCleaner\CCleaner64.exe[5980] @ C:\Windows\system32\OLEAUT32.dll[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Program Files\CCleaner\CCleaner64.exe[5980] @ C:\Windows\system32\WindowsCodecs.dll[ole32.dll!CoCreateInstance] [7fefee90000] IAT C:\Program Files\CCleaner\CCleaner64.exe[5980] @ C:\Windows\system32\CLBCatQ.DLL[ole32.dll!CoCreateInstance] [7fefee90000] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\services.exe [924:436] 000007fefbd594c4 Thread C:\Windows\System32\svchost.exe [1056:1560] 000007fef89659a0 Thread C:\Windows\System32\svchost.exe [1056:3760] 000007fee859a2b0 Thread C:\Windows\System32\svchost.exe [1056:4636] 000007fef27344e0 Thread C:\Windows\System32\svchost.exe [1056:4732] 000007fef28f88f8 Thread C:\Windows\System32\svchost.exe [1056:4672] 000007fee72b8a4c Thread C:\Windows\System32\svchost.exe [1056:2212] 000007fee7243efc Thread C:\Windows\system32\svchost.exe [1116:1164] 000007fef9f3034c Thread C:\Windows\system32\svchost.exe [1116:1168] 000007fef9f2fb90 Thread C:\Windows\system32\svchost.exe [1116:2400] 000007fef1910ea8 Thread C:\Windows\system32\svchost.exe [1116:2908] 000007fef1909db0 Thread C:\Windows\system32\svchost.exe [1116:3312] 000007fef190aa10 Thread C:\Windows\system32\svchost.exe [1116:3316] 000007fef1911c94 Thread C:\Windows\system32\svchost.exe [1116:4248] 000007fee812d3c8 Thread C:\Windows\system32\svchost.exe [1116:4252] 000007fee812d3c8 Thread C:\Windows\system32\svchost.exe [1116:4256] 000007fee812d3c8 Thread C:\Windows\system32\svchost.exe [1116:4260] 000007fee812d3c8 Thread C:\Windows\system32\svchost.exe [2396:3420] 000007feee4e8470 Thread C:\Windows\system32\svchost.exe [2396:3424] 000007feee4f2418 Thread C:\Windows\system32\svchost.exe [2396:4176] 000007fef5505fd0 Thread C:\Windows\system32\svchost.exe [2396:4180] 000007fef55063ec Thread C:\Windows\system32\svchost.exe [2396:4416] 000007fee748f130 Thread C:\Windows\system32\svchost.exe [2396:4604] 000007fee7484734 Thread C:\Windows\system32\svchost.exe [2396:5736] 000007fee7484734 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [3568:4072] 000007feeccf472c Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [3568:4092] 000007feece380ec Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [3568:3736] 000007feece380ec Thread C:\Windows\system32\svchost.exe [3888:3260] 000007fee8516e5c Thread C:\Windows\system32\svchost.exe [3888:3248] 000007fee8515708 Thread C:\Windows\System32\WUDFHost.exe [3732:3680] 000007feede62f9c Thread C:\Windows\System32\WUDFHost.exe [3732:3708] 000007fee7839fe4 Thread C:\Windows\System32\WUDFHost.exe [3732:3728] 000007fee78398ac Thread C:\Windows\System32\WUDFHost.exe [3732:4112] 000007fee7723b60 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\28c2dd9c2e90 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{0D1CEEB7-BA49-430D-93F2-DCBC0D2B5772}@LeaseObtainedTime 1476975716 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{0D1CEEB7-BA49-430D-93F2-DCBC0D2B5772}@T1 1476977516 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{0D1CEEB7-BA49-430D-93F2-DCBC0D2B5772}@T2 1476978866 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{0D1CEEB7-BA49-430D-93F2-DCBC0D2B5772}@LeaseTerminatesTime 1476979316 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\28c2dd9c2e90 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----