GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-25 00:21:05 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PC4O 465,76GB Running: g5ysnlel.exe; Driver: C:\Users\Lech\AppData\Local\Temp\kwldapow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772d13c0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772d15c0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772d13c0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772d15c0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\system32\services.exe[708] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\services.exe[708] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe306bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076ba6ef0 6 bytes {JMP QWORD [RIP+0x9899140]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076ba8184 6 bytes {JMP QWORD [RIP+0x9977eac]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SetParent 0000000076ba8530 6 bytes {JMP QWORD [RIP+0x98b7b00]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076ba9bcc 6 bytes {JMP QWORD [RIP+0x9616464]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!PostMessageA 0000000076baa404 6 bytes {JMP QWORD [RIP+0x9655c2c]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!EnableWindow 0000000076baaaa0 6 bytes {JMP QWORD [RIP+0x99b5590]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!MoveWindow 0000000076baaad0 6 bytes {JMP QWORD [RIP+0x98d5560]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076bac720 6 bytes {JMP QWORD [RIP+0x9873910]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076bacd50 6 bytes {JMP QWORD [RIP+0x99532e0]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076bad2b0 6 bytes {JMP QWORD [RIP+0x9692d80]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SendMessageA 0000000076bad338 6 bytes {JMP QWORD [RIP+0x96d2cf8]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076badc40 6 bytes {JMP QWORD [RIP+0x97b23f0]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076baf510 6 bytes {JMP QWORD [RIP+0x9990b20]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076baf874 6 bytes {JMP QWORD [RIP+0x95d07bc]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076bafac0 6 bytes {JMP QWORD [RIP+0x9730570]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076bb0b74 6 bytes {JMP QWORD [RIP+0x96af4bc]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076bb33b0 6 bytes {JMP QWORD [RIP+0x962cc80]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076bb4d4d 5 bytes {JMP QWORD [RIP+0x95eb2e4]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!GetKeyState 0000000076bb5010 6 bytes {JMP QWORD [RIP+0x984b020]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076bb5438 6 bytes {JMP QWORD [RIP+0x976abf8]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SendMessageW 0000000076bb6b50 6 bytes {JMP QWORD [RIP+0x96e94e0]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!PostMessageW 0000000076bb76e4 6 bytes {JMP QWORD [RIP+0x966894c]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076bbdd90 6 bytes {JMP QWORD [RIP+0x97e22a0]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076bbe874 6 bytes {JMP QWORD [RIP+0x99217bc]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076bbf780 6 bytes {JMP QWORD [RIP+0x98e08b0]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076bc28e4 6 bytes {JMP QWORD [RIP+0x977d74c]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!mouse_event 0000000076bc3894 6 bytes {JMP QWORD [RIP+0x957c79c]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076bc8a10 6 bytes {JMP QWORD [RIP+0x9817620]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076bc8be0 6 bytes {JMP QWORD [RIP+0x96f7450]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076bc8c20 6 bytes {JMP QWORD [RIP+0x9597410]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SendInput 0000000076bc8cd0 6 bytes {JMP QWORD [RIP+0x97f7360]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!BlockInput 0000000076bcad60 6 bytes {JMP QWORD [RIP+0x98f52d0]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076bf14e0 6 bytes {JMP QWORD [RIP+0x998eb50]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!keybd_event 0000000076c145a4 6 bytes {JMP QWORD [RIP+0x950ba8c]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076c1cc08 6 bytes {JMP QWORD [RIP+0x9763428]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076c1df18 6 bytes {JMP QWORD [RIP+0x96e2118]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\services.exe[708] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\lsm.exe[732] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 21 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe306bd0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe306bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0x3fdd64]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes JMP 0 .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x43a450]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x474648]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x44ac20]} .text C:\Windows\system32\atiesrxx.exe[1036] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes JMP a6d36c8 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes JMP 6 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes JMP e041be8 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes JMP e661029 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes JMP 606b2c1 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes JMP 96683f0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes JMP 94ae868 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes JMP 5d005d .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes JMP 5d005d .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes JMP 94df940 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes JMP 95ce5c8 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes JMP 13f5ce81 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes JMP c572681 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes JMP 40004 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes JMP 6a0499a .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes JMP 4e604e6 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes JMP 1f401 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes JMP 606b2c1 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes JMP b5aff31 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes JMP c0b6250 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes JMP 666d388 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes JMP 7226ce0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes JMP 6bb501 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes JMP 310490 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes JMP 78197c9 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes JMP a96b8e0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes JMP 7acfde8 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\System32\svchost.exe[1128] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe306bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe4e8f6c 6 bytes {JMP QWORD [RIP+0x10c70c4]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe7019b8 6 bytes {JMP QWORD [RIP+0xe7e678]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x41db70]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x43a450]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x44ac20]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1212] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x43a450]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x474648]} .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1408] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0x3fdd64]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x41db70]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x43a450]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes JMP 0 .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x44ac20]} .text C:\Windows\system32\Hpservice.exe[1464] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes JMP 0 .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0x3fdd64]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x41db70]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x43a450]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x474648]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x44ac20]} .text C:\Windows\system32\WUDFHost.exe[1616] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 06] .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes JMP 0 .text C:\Windows\system32\WLANExt.exe[1768] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes JMP 8f66 .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\conhost.exe[1776] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 0 .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0x3fdd64]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x41db70]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x43a450]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes JMP 8f78 .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x474648]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x44ac20]} .text C:\Windows\System32\spoolsv.exe[1856] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x298ba0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 06] .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes JMP 121a80 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes JMP 57005c .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe306bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[1928] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 06] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes JMP aab .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[2000] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 0 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 06] .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[1560] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes JMP 0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0x66dd64]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x68db70]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x6aa450]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x6e4648]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x6bac20]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1144] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 200073 .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70c1000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70c1000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c7000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c7000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70c4000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70c4000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SendMessageW 00000000757b9679 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!GetKeyState 00000000757c291f 6 bytes JMP 712a000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SetParent 00000000757c2d64 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!MoveWindow 00000000757c3698 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SendMessageA 00000000757c612e 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 7133000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7127000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 712d000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 712d000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SendInput 00000000757dff4a 3 bytes JMP 7130000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 7130000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 7115000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7106000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!mouse_event 000000007581027b 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!keybd_event 00000000758102bf 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[2120] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 13f .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes JMP aab .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[2144] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0x66dd64]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x68db70]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x6aa450]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x6e4648]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x6bac20]} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2272] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0x66dd64]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x68db70]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x6aa450]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x6e4648]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x6bac20]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2316] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x298ba0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2636] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2716] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 0 .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes JMP 4d68636d .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes JMP 0 .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes JMP aab .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe[2752] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 0 .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x298ba0]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\wbem\unsecapp.exe[3000] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 0 .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes JMP 1d6d60 .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x298ba0]} .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 7044000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 7044000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 7065000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 7065000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 7050000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 7050000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 7056000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 7056000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 704d000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 704d000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 707d000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 707d000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 7059000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 7059000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 7071000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 7071000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 706e000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 706e000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 7053000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 7053000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 703e000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 703e000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 7083000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 7083000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 7086000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 7086000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 7062000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 7062000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 707a000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 707a000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 7080000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 7080000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 7074000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 7074000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 7077000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 7077000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 704a000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 704a000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 7041000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 7041000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 705f000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 705f000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 7047000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 7047000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 705c000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 705c000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 706b000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 706b000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 7068000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 7068000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 70f5000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 70e0000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 70d4000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 708f000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 70ce000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 70c8000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 70e6000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 7095000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 7095000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 70da000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 70ad000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 70a4000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 70a4000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 708c000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 70a1000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 70a1000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 70dd000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 70d7000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 70e3000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 70d1000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7092000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 70bc000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 70c2000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 70cb000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 70ec000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 709e000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 709e000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 70b9000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 70b6000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 70aa000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 70b0000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 70b0000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 70b3000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 70b3000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 7098000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7089000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 70ef000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 70f2000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 70c5000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 70bf000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 709b000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 709b000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 70a7000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 70a7000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[3800] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 0 .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 730065 .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\taskhost.exe[2256] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes JMP ff7f4f41 .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 06] .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[880] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes JMP 370033 .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes JMP ffffff .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes JMP 6f0072 .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes JMP ffcccccc .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes JMP 1 .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes JMP d0400e1 .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes JMP 770020 .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x41db70]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x43a450]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes JMP 720065 .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x474648]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x44ac20]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076ba6ef0 6 bytes {JMP QWORD [RIP+0x9899140]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076ba8184 6 bytes {JMP QWORD [RIP+0x9977eac]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SetParent 0000000076ba8530 6 bytes {JMP QWORD [RIP+0x98b7b00]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076ba9bcc 6 bytes {JMP QWORD [RIP+0x9616464]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!PostMessageA 0000000076baa404 6 bytes {JMP QWORD [RIP+0x9655c2c]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!EnableWindow 0000000076baaaa0 6 bytes {JMP QWORD [RIP+0x99b5590]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!MoveWindow 0000000076baaad0 6 bytes {JMP QWORD [RIP+0x98d5560]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076bac720 6 bytes {JMP QWORD [RIP+0x9873910]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076bacd50 6 bytes {JMP QWORD [RIP+0x99532e0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076bad2b0 6 bytes {JMP QWORD [RIP+0x9692d80]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SendMessageA 0000000076bad338 6 bytes {JMP QWORD [RIP+0x96d2cf8]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076badc40 6 bytes {JMP QWORD [RIP+0x97b23f0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076baf510 6 bytes {JMP QWORD [RIP+0x9990b20]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076baf874 6 bytes {JMP QWORD [RIP+0x95d07bc]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076bafac0 6 bytes {JMP QWORD [RIP+0x9730570]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076bb0b74 6 bytes {JMP QWORD [RIP+0x96af4bc]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076bb33b0 6 bytes {JMP QWORD [RIP+0x962cc80]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076bb4d4d 5 bytes {JMP QWORD [RIP+0x95eb2e4]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!GetKeyState 0000000076bb5010 6 bytes {JMP QWORD [RIP+0x984b020]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076bb5438 6 bytes {JMP QWORD [RIP+0x976abf8]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SendMessageW 0000000076bb6b50 6 bytes {JMP QWORD [RIP+0x96e94e0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!PostMessageW 0000000076bb76e4 6 bytes {JMP QWORD [RIP+0x966894c]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076bbdd90 6 bytes {JMP QWORD [RIP+0x97e22a0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076bbe874 6 bytes {JMP QWORD [RIP+0x99217bc]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076bbf780 6 bytes {JMP QWORD [RIP+0x98e08b0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076bc28e4 6 bytes {JMP QWORD [RIP+0x977d74c]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!mouse_event 0000000076bc3894 6 bytes {JMP QWORD [RIP+0x957c79c]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076bc8a10 6 bytes {JMP QWORD [RIP+0x9817620]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076bc8be0 6 bytes {JMP QWORD [RIP+0x96f7450]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076bc8c20 6 bytes {JMP QWORD [RIP+0x9597410]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SendInput 0000000076bc8cd0 6 bytes {JMP QWORD [RIP+0x97f7360]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!BlockInput 0000000076bcad60 6 bytes {JMP QWORD [RIP+0x98f52d0]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076bf14e0 6 bytes {JMP QWORD [RIP+0x998eb50]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!keybd_event 0000000076c145a4 6 bytes {JMP QWORD [RIP+0x950ba8c]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076c1cc08 6 bytes {JMP QWORD [RIP+0x9763428]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076c1df18 6 bytes {JMP QWORD [RIP+0x96e2118]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe4e8f6c 6 bytes {JMP QWORD [RIP+0x10c70c4]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe7019b8 6 bytes {JMP QWORD [RIP+0xe7e678]} .text C:\Windows\Explorer.EXE[3744] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 0 .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\taskeng.exe[3780] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 22 .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes JMP 2493e0 .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes JMP aab .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\System32\igfxtray.exe[4280] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 140000 .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes JMP fefefefe .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes JMP aab .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\System32\hkcmd.exe[4292] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x474648]} .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[4300] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes JMP 0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes JMP aab .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4336] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0x66dd64]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x68db70]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x6aa450]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x6e4648]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x6bac20]} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4344] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 0 .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0xa7668]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes JMP 0 .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x15ac20]} .text C:\Windows\System32\rundll32.exe[4448] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 0 .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes JMP 380061 .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes JMP 44f043e .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\IDT\WDM\sttray64.exe[4596] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\shell32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4808] C:\Windows\syswow64\shell32.dll!SHFileOperation 000000007606addd 6 bytes JMP 70b8000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 06] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes JMP aab .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4996] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x298ba0]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\wbem\unsecapp.exe[5008] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70be000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70be000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 715d000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 714b000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 7160000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7139000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7136000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7106000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 7172000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7178000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 7175000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\shell32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\shell32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\ProgramData\Easybits Magic Desktop for HP\mdhpSUN.exe[4320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70ba000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70ba000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c6000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c6000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c3000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c3000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b4000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b4000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c0000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c0000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b7000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b7000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70bd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70bd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[4844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 380034 .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 1210 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4948] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x298ba0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes JMP fca10230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes JMP a9a19ead .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 14 bytes {MOV RAX, 0x7fef2aa8d50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes JMP 9286810 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes JMP 2c686364 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes JMP 6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes JMP 94eeb18 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes JMP f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes JMP 80000001 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes JMP ef002f79 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes JMP 918bf60 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes JMP 456c980 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes JMP 90fa690 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes JMP 90c0820 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes JMP 91006e2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes JMP 8f49a10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe4e8f6c 6 bytes {JMP QWORD [RIP+0x10c70c4]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe7019b8 6 bytes {JMP QWORD [RIP+0xe7e678]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076ba6ef0 6 bytes JMP 3f080000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076ba8184 6 bytes {JMP QWORD [RIP+0x9977eac]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SetParent 0000000076ba8530 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076ba9bcc 6 bytes {JMP QWORD [RIP+0x9616464]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!PostMessageA 0000000076baa404 6 bytes {JMP QWORD [RIP+0x9655c2c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!EnableWindow 0000000076baaaa0 6 bytes {JMP QWORD [RIP+0x99b5590]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!MoveWindow 0000000076baaad0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076bac720 6 bytes JMP 3f7e0000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076bacd50 6 bytes {JMP QWORD [RIP+0x99532e0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076bad2b0 6 bytes {JMP QWORD [RIP+0x9692d80]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SendMessageA 0000000076bad338 6 bytes {JMP QWORD [RIP+0x96d2cf8]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076badc40 6 bytes {JMP QWORD [RIP+0x97b23f0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076baf510 6 bytes {JMP QWORD [RIP+0x9990b20]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076baf874 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076bafac0 6 bytes {JMP QWORD [RIP+0x9730570]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076bb0b74 6 bytes {JMP QWORD [RIP+0x96af4bc]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076bb33b0 6 bytes {JMP QWORD [RIP+0x962cc80]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076bb4d4d 5 bytes {JMP QWORD [RIP+0x95eb2e4]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!GetKeyState 0000000076bb5010 6 bytes {JMP QWORD [RIP+0x984b020]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076bb5438 6 bytes {JMP QWORD [RIP+0x976abf8]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SendMessageW 0000000076bb6b50 6 bytes {JMP QWORD [RIP+0x96e94e0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!PostMessageW 0000000076bb76e4 6 bytes {JMP QWORD [RIP+0x966894c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076bbdd90 6 bytes {JMP QWORD [RIP+0x97e22a0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076bbe874 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076bbf780 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076bc28e4 6 bytes {JMP QWORD [RIP+0x977d74c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!mouse_event 0000000076bc3894 6 bytes {JMP QWORD [RIP+0x957c79c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076bc8a10 6 bytes {JMP QWORD [RIP+0x9817620]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076bc8be0 6 bytes {JMP QWORD [RIP+0x96f7450]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076bc8c20 6 bytes {JMP QWORD [RIP+0x9597410]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SendInput 0000000076bc8cd0 6 bytes {JMP QWORD [RIP+0x97f7360]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!BlockInput 0000000076bcad60 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076bf14e0 6 bytes {JMP QWORD [RIP+0x998eb50]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!keybd_event 0000000076c145a4 6 bytes {JMP QWORD [RIP+0x950ba8c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076c1cc08 6 bytes {JMP QWORD [RIP+0x9763428]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076c1df18 6 bytes {JMP QWORD [RIP+0x96e2118]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5400] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5444] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\system32\KERNEL32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe[6056] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP 0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\shell32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5256] C:\Windows\syswow64\shell32.dll!SHFileOperation 000000007606addd 6 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\KERNEL32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 72aa0000 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0A] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3696] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 7096000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 7096000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70bc000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70bc000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70a2000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70a2000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70aa000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70aa000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 709f000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 709f000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70d5000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70d5000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70ad000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70ad000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70c8000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70c8000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70c5000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70c5000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70a7000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70a7000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 7090000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 7090000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 70db000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 70db000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 70de000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 70de000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70b9000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70b9000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70d2000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70d2000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70d8000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70d8000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70cc000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70cc000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70cf000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70cf000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 709c000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 709c000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 7093000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 7093000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70b6000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70b6000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 7099000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 7099000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70b3000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70b3000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70c2000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70c2000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70bf000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70bf000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7181000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 7178000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 7184000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 717e000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 717b000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 716f000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 7166000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 716c000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 7169000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 7151000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 7145000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 70e7000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 713f000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 7139000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 7157000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 70ed000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 70ed000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 714b000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 711e000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 7115000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 7115000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 70e4000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 70f9000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 70f9000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 714e000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 7148000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 7154000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 7142000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 70ea000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 715a000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 712d000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 7133000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 713c000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 715d000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 70f6000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 70f6000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 712a000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 7127000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 711b000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 7121000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 7121000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 7124000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 7124000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 70f0000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 70e1000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 7160000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 7163000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 7136000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 7130000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 70f3000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 70f3000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 7118000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 7118000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075e696f6 6 bytes JMP 7172000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007606addd 6 bytes JMP 7175000a .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70c1000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70cd000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70cd000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70fa000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70fa000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d6000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d6000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70eb000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70eb000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70bb000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 7100000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 7100000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 7103000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 7103000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70df000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70df000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70fd000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70f4000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70f4000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c7000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70be000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70be000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70c4000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70e5000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 715d000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 714b000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 711e000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 7160000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7166000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7139000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7136000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7106000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 717b000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 7172000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7178000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 7175000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075179d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[5368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 0 .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes JMP 2 .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\AUDIODG.EXE[4724] C:\Windows\System32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes JMP bc582d62 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772d13e0 7 bytes [48, B8, 74, 0B, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000772d13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772d1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f9013} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000772d1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772d1570 7 bytes [48, B8, 94, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000772d1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000772d1580 7 bytes [48, B8, 98, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000772d1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000772d1590 7 bytes [48, B8, 58, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000772d1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000772d15b0 7 bytes [48, B8, C4, 0A, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000772d15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772d1600 7 bytes [48, B8, 58, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000772d1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000772d1610 7 bytes [48, B8, D0, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000772d1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 7 bytes [48, B8, 3C, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000772d1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772d16e0 7 bytes [48, B8, 70, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000772d16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 7 bytes [48, B8, C8, 0C, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772d1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772d22d0 7 bytes [48, B8, B8, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000772d22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772d2320 7 bytes [48, B8, 70, 0F, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000772d2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772d2470 7 bytes [48, B8, 84, 0D, 90, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000772d2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x917c550]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000772d13d0 6 bytes {JMP QWORD [RIP+0x8e4ec60]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x912ec30]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x9d4eb60]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000772d1530 6 bytes {JMP QWORD [RIP+0x8e2eb00]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000772d1540 6 bytes {JMP QWORD [RIP+0x908eaf0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x9c3ea60]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x906e9f0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x900e9b0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000772d16a0 6 bytes {JMP QWORD [RIP+0x90ae990]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772d1710 6 bytes {JMP QWORD [RIP+0x8ece920]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x9cee910]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x8eae8a0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x8fee880]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x9bbe840]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x9bde7f0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x904e7d0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x8dee5e0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x8dce5d0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x8e0e4d0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x8fae400]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x8eee3c0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x8e6e350]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000772d1cf0 6 bytes {JMP QWORD [RIP+0x902e340]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x8f6e320]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x8f2e2c0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x9d0e2b0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x9d6e2a0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000772d1df0 6 bytes {JMP QWORD [RIP+0x8fce240]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x9c6df30]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x9d2dea0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772d21f0 6 bytes {JMP QWORD [RIP+0x90ede40]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772d2200 6 bytes {JMP QWORD [RIP+0x90cde30]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772d2230 6 bytes {JMP QWORD [RIP+0x8f0de00]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772d22a0 6 bytes {JMP QWORD [RIP+0x8e8dd90]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772d22f0 6 bytes {JMP QWORD [RIP+0x8f4dd40]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000772d2800 6 bytes {JMP QWORD [RIP+0x8f8d830]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x9c8d630]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000772d2a20 6 bytes {JMP QWORD [RIP+0x910d610]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x9bfd5b0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x9c1d530]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 0000000076f56bf0 6 bytes {JMP QWORD [RIP+0x90c9440]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x991dc60]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000076f64560 6 bytes {JMP QWORD [RIP+0x911bad0]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x9871880]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 0000000076fd1720 6 bytes {JMP QWORD [RIP+0x906e910]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x9840940]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9880910]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x9820740]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x985a970]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda49ec0 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 06] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes JMP 4d68636d .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefe16687c 6 bytes {JMP QWORD [RIP+0x2c97b4]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefe168e30 6 bytes {JMP QWORD [RIP+0x347200]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefe16995c 6 bytes {JMP QWORD [RIP+0x3266d4]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefe1699e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefe169ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefe16a51c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefe16a530 6 bytes {JMP QWORD [RIP+0x285b00]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefe16a5b0 5 bytes [FF, 25, 80, 5A, 07] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefe16a5c4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefe16bb28 6 bytes {JMP QWORD [RIP+0x2e4508]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefe16bb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefe16bb40 2 bytes [30, 00] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe306bd0 6 bytes {JMP QWORD [RIP+0x1d9460]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0x1add64]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x1cdb70]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x1ea450]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0x167c98]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x147668]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0x186cec]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes JMP aab .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x1fac20]} .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x917c550]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000772d13d0 6 bytes {JMP QWORD [RIP+0x8e4ec60]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x912ec30]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x9d4eb60]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000772d1530 6 bytes {JMP QWORD [RIP+0x8e2eb00]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000772d1540 6 bytes {JMP QWORD [RIP+0x908eaf0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x9c3ea60]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x906e9f0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x900e9b0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000772d16a0 6 bytes {JMP QWORD [RIP+0x90ae990]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772d1710 6 bytes {JMP QWORD [RIP+0x8ece920]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x9cee910]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x8eae8a0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x8fee880]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x9bbe840]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x9bde7f0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x904e7d0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x8dee5e0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x8dce5d0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x8e0e4d0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x8fae400]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x8eee3c0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x8e6e350]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000772d1cf0 6 bytes {JMP QWORD [RIP+0x902e340]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x8f6e320]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x8f2e2c0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x9d0e2b0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x9d6e2a0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000772d1df0 6 bytes {JMP QWORD [RIP+0x8fce240]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x9c6df30]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x9d2dea0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772d21f0 6 bytes {JMP QWORD [RIP+0x90ede40]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772d2200 6 bytes {JMP QWORD [RIP+0x90cde30]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772d2230 6 bytes {JMP QWORD [RIP+0x8f0de00]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772d22a0 6 bytes {JMP QWORD [RIP+0x8e8dd90]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772d22f0 6 bytes {JMP QWORD [RIP+0x8f4dd40]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000772d2800 6 bytes {JMP QWORD [RIP+0x8f8d830]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x9c8d630]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000772d2a20 6 bytes {JMP QWORD [RIP+0x910d610]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x9bfd5b0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x9c1d530]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 0000000076f56bf0 6 bytes {JMP QWORD [RIP+0x90c9440]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x991dc60]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000076f64560 6 bytes {JMP QWORD [RIP+0x911bad0]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x9871880]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 0000000076fd1720 6 bytes {JMP QWORD [RIP+0x906e910]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x9840940]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9880910]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x9820740]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x985a970]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda49ec0 5 bytes [FF, 25, 70, 61, 0B] .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes CALL 32f50000 .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 0C] .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefe16687c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefe168e30 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefe16995c 6 bytes {JMP QWORD [RIP+0x3266d4]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefe1699e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefe169ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefe16a51c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefe16a530 6 bytes {JMP QWORD [RIP+0x285b00]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefe16a5b0 5 bytes JMP 1000c .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefe16a5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefe16bb28 6 bytes JMP 650076 .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefe16bb3c 3 bytes JMP 0 .text C:\Windows\system32\svchost.exe[652] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefe16bb40 2 bytes JMP 0 .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0x1add64]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x1cdb70]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x1ea450]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0x167c98]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x147668]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0x186cec]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x224648]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x1fac20]} .text C:\Windows\system32\svchost.exe[652] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes JMP 0 .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes JMP 330031 .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes JMP 0 .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes JMP 0 .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes JMP 310030 .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\notepad.exe[6764] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes JMP 701b .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\notepad.exe[4496] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772a3ae0 6 bytes {JMP QWORD [RIP+0x8d9c550]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772d1400 6 bytes {JMP QWORD [RIP+0x8d4ec30]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000772d14d0 6 bytes {JMP QWORD [RIP+0x958eb60]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772d15d0 6 bytes {JMP QWORD [RIP+0x942ea60]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772d1640 6 bytes {JMP QWORD [RIP+0x950e9f0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772d1680 6 bytes {JMP QWORD [RIP+0x94ce9b0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772d1720 6 bytes {JMP QWORD [RIP+0x952e910]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772d1790 6 bytes {JMP QWORD [RIP+0x932e8a0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772d17b0 6 bytes {JMP QWORD [RIP+0x94ae880]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772d17f0 6 bytes {JMP QWORD [RIP+0x93ae840]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772d1840 6 bytes {JMP QWORD [RIP+0x93ce7f0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772d1860 6 bytes {JMP QWORD [RIP+0x94ee7d0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772d1a50 6 bytes {JMP QWORD [RIP+0x95ce5e0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000772d1a60 6 bytes {JMP QWORD [RIP+0x92ee5d0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772d1b60 6 bytes {JMP QWORD [RIP+0x92ce4d0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772d1c30 6 bytes {JMP QWORD [RIP+0x944e400]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772d1c70 6 bytes {JMP QWORD [RIP+0x934e3c0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772d1ce0 6 bytes {JMP QWORD [RIP+0x930e350]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000772d1d10 6 bytes {JMP QWORD [RIP+0x938e320]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772d1d70 6 bytes {JMP QWORD [RIP+0x936e2c0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000772d1d80 6 bytes {JMP QWORD [RIP+0x954e2b0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772d1d90 6 bytes {JMP QWORD [RIP+0x95ae2a0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772d2100 6 bytes {JMP QWORD [RIP+0x946df30]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000772d2190 6 bytes {JMP QWORD [RIP+0x956dea0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772d2a00 6 bytes {JMP QWORD [RIP+0x948d630]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772d2a80 6 bytes {JMP QWORD [RIP+0x93ed5b0]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772d2b00 6 bytes {JMP QWORD [RIP+0x940d530]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076f623d0 6 bytes {JMP QWORD [RIP+0x919dc60]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f6e7b0 6 bytes {JMP QWORD [RIP+0x90f1880]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076fdf6f0 6 bytes {JMP QWORD [RIP+0x90c0940]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076fdf720 6 bytes {JMP QWORD [RIP+0x9100910]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076fdf8f0 6 bytes {JMP QWORD [RIP+0x90a0740]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076fe56c0 6 bytes {JMP QWORD [RIP+0x90da970]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefda4a058 3 bytes [B2, 5F, 22] .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefda563c0 5 bytes [FF, 25, 70, 9C, 26] .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdd822cc 6 bytes JMP 0 .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdd824c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdd85be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdd88398 6 bytes JMP 0 .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdd889c8 6 bytes JMP 0 .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdd89344 6 bytes JMP 300030 .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdd8b9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdd95410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\notepad.exe[3412] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff327490 6 bytes {JMP QWORD [RIP+0x238ba0]} .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007747f9d0 3 bytes JMP 71af000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007747f9d4 2 bytes JMP 71af000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007747fb18 3 bytes JMP 70c1000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007747fb1c 2 bytes JMP 70c1000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007747fca0 3 bytes JMP 70e2000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007747fca4 2 bytes JMP 70e2000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007747fd54 3 bytes JMP 70cd000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007747fd58 2 bytes JMP 70cd000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007747fdb8 3 bytes JMP 70d3000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007747fdbc 2 bytes JMP 70d3000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007747feb0 3 bytes JMP 70ca000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007747feb4 2 bytes JMP 70ca000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007747ff64 3 bytes JMP 70fa000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007747ff68 2 bytes JMP 70fa000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007747ff94 3 bytes JMP 70d6000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007747ff98 2 bytes JMP 70d6000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007747fff4 3 bytes JMP 70ee000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007747fff8 2 bytes JMP 70ee000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077480074 3 bytes JMP 70eb000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077480078 2 bytes JMP 70eb000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774800a4 3 bytes JMP 70d0000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774800a8 2 bytes JMP 70d0000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774803a8 3 bytes JMP 70bb000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774803ac 2 bytes JMP 70bb000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000774803c0 3 bytes JMP 7100000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000774803c4 2 bytes JMP 7100000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077480540 3 bytes JMP 7103000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077480544 2 bytes JMP 7103000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077480684 3 bytes JMP 70df000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077480688 2 bytes JMP 70df000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000774806e4 3 bytes JMP 70f7000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000774806e8 2 bytes JMP 70f7000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007748078c 3 bytes JMP 70fd000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077480790 2 bytes JMP 70fd000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000774807d4 3 bytes JMP 70f1000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000774807d8 2 bytes JMP 70f1000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077480864 3 bytes JMP 70f4000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077480868 2 bytes JMP 70f4000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007748087c 3 bytes JMP 70c7000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077480880 2 bytes JMP 70c7000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077480894 3 bytes JMP 70be000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077480898 2 bytes JMP 70be000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077480de4 3 bytes JMP 70dc000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077480de8 2 bytes JMP 70dc000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077480ec8 3 bytes JMP 70c4000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077480ecc 2 bytes JMP 70c4000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077481bd4 3 bytes JMP 70d9000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077481bd8 2 bytes JMP 70d9000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077481ca4 3 bytes JMP 70e8000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077481ca8 2 bytes JMP 70e8000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077481d7c 3 bytes JMP 70e5000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077481d80 2 bytes JMP 70e5000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774a11d7 6 bytes JMP 71a8000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076a83bf3 3 bytes JMP 719c000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076a83bf7 2 bytes JMP 719c000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076a89acc 6 bytes JMP 7187000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076a93b92 6 bytes JMP 717e000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076a9cce1 6 bytes JMP 718a000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076aed7ce 6 bytes JMP 7184000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076aed871 6 bytes JMP 7181000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007575eae7 6 bytes JMP 719f000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000075761d26 4 bytes CALL 71ac0000 .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000757b8332 6 bytes JMP 715d000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757b8bff 6 bytes JMP 7151000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757b90d3 6 bytes JMP 710c000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757b9679 6 bytes JMP 714b000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757b97d2 6 bytes JMP 7145000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757bee09 6 bytes JMP 7163000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757befc9 3 bytes JMP 7112000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757befcd 2 bytes JMP 7112000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757c12a5 6 bytes JMP 7157000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757c291f 6 bytes JMP 712a000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SetParent 00000000757c2d64 3 bytes JMP 7121000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757c2d68 2 bytes JMP 7121000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757c2da4 6 bytes JMP 7109000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757c3698 3 bytes JMP 711e000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757c369c 2 bytes JMP 711e000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757c3baa 6 bytes JMP 715a000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757c3c61 6 bytes JMP 7154000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000757c6110 6 bytes JMP 7160000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757c612e 6 bytes JMP 714e000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757c6c30 6 bytes JMP 710f000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757c7603 6 bytes JMP 7166000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757c7668 6 bytes JMP 7139000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757c76e0 6 bytes JMP 713f000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757c781f 6 bytes JMP 7148000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757c835c 6 bytes JMP 7169000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757cc4b6 3 bytes JMP 711b000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757cc4ba 2 bytes JMP 711b000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757dc112 6 bytes JMP 7136000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757dd0f5 6 bytes JMP 7133000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757deb96 6 bytes JMP 7127000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757dec68 3 bytes JMP 712d000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757dec6c 2 bytes JMP 712d000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SendInput 00000000757dff4a 3 bytes JMP 7130000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757dff4e 2 bytes JMP 7130000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757f9f1d 6 bytes JMP 7115000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075801497 6 bytes JMP 7106000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!mouse_event 000000007581027b 6 bytes JMP 716c000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758102bf 6 bytes JMP 716f000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075816cfc 6 bytes JMP 7142000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075816d5d 6 bytes JMP 713c000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075817dd7 3 bytes JMP 7118000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075817ddb 2 bytes JMP 7118000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758188eb 3 bytes JMP 7124000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758188ef 2 bytes JMP 7124000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075a758b3 6 bytes JMP 718d000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075a75ea6 6 bytes JMP 717b000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075a77bcc 6 bytes JMP 7196000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075a7b895 6 bytes JMP 7172000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075a7c332 6 bytes JMP 7178000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075a7cbfb 6 bytes JMP 7190000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075a7e743 6 bytes JMP 7193000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075aa4646 6 bytes JMP 7175000a .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74] .text C:\Users\Lech\Downloads\g5ysnlel.exe[4988] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74] .text ... * 2 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6064] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3672] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3764] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1236] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6780] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5712] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4464] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6516] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4984] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5456] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5356] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3712] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5304] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feec207598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feec207cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feec207f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feec207d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4928] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feeb3c2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ac7289b6de69 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ac7289b6de69 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.2 ----