GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-23 12:19:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP0T0L0-0 KINGSTON_SV300S37A120G rev.505ABBF0 111,79GB Running: vjzkvv3z.exe; Driver: C:\Users\MRC\AppData\Local\Temp\awporkob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007717bde0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007717bfe0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\csrss.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007717bde0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007717bfe0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\services.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 20000 .text C:\Windows\system32\services.exe[480] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef02930 6 bytes {JMP QWORD [RIP+0x21d700]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076f16ea0 6 bytes {JMP QWORD [RIP+0x9529190]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076f180e4 6 bytes {JMP QWORD [RIP+0x9607f4c]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SetParent 0000000076f18480 6 bytes {JMP QWORD [RIP+0x9547bb0]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076f19b10 6 bytes {JMP QWORD [RIP+0x92a6520]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!PostMessageA 0000000076f1a354 6 bytes {JMP QWORD [RIP+0x92e5cdc]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!EnableWindow 0000000076f1aa00 6 bytes {JMP QWORD [RIP+0x9645630]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!MoveWindow 0000000076f1aa30 6 bytes {JMP QWORD [RIP+0x9565600]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076f1c63c 6 bytes {JMP QWORD [RIP+0x95039f4]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076f1cc90 6 bytes {JMP QWORD [RIP+0x95e33a0]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076f1d204 6 bytes {JMP QWORD [RIP+0x9322e2c]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SendMessageA 0000000076f1d290 6 bytes {JMP QWORD [RIP+0x9362da0]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076f1dbc0 6 bytes {JMP QWORD [RIP+0x9442470]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076f1f490 6 bytes {JMP QWORD [RIP+0x9620ba0]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076f1f804 6 bytes {JMP QWORD [RIP+0x926082c]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076f1fa50 6 bytes {JMP QWORD [RIP+0x93c05e0]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076f20b14 6 bytes {JMP QWORD [RIP+0x933f51c]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076f23340 6 bytes {JMP QWORD [RIP+0x92bccf0]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076f24ccd 5 bytes {JMP QWORD [RIP+0x927b364]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!GetKeyState 0000000076f24f80 6 bytes {JMP QWORD [RIP+0x94db0b0]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076f253d0 6 bytes {JMP QWORD [RIP+0x93fac60]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SendMessageW 0000000076f26b04 6 bytes {JMP QWORD [RIP+0x937952c]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!PostMessageW 0000000076f276d4 6 bytes {JMP QWORD [RIP+0x92f895c]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076f2dd9c 6 bytes {JMP QWORD [RIP+0x9472294]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076f2e854 6 bytes {JMP QWORD [RIP+0x95b17dc]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076f2f780 6 bytes {JMP QWORD [RIP+0x95708b0]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076f328d4 6 bytes {JMP QWORD [RIP+0x940d75c]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!mouse_event 0000000076f33874 6 bytes {JMP QWORD [RIP+0x920c7bc]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076f389c0 6 bytes {JMP QWORD [RIP+0x94a7670]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076f38b88 6 bytes {JMP QWORD [RIP+0x93874a8]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076f38bd0 6 bytes {JMP QWORD [RIP+0x9227460]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SendInput 0000000076f38c90 6 bytes {JMP QWORD [RIP+0x94873a0]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!BlockInput 0000000076f3ad10 6 bytes {JMP QWORD [RIP+0x9585320]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076f61534 6 bytes {JMP QWORD [RIP+0x961eafc]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!keybd_event 0000000076f84610 6 bytes {JMP QWORD [RIP+0x919ba20]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f8cc7c 6 bytes {JMP QWORD [RIP+0x93f33b4]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f8df8c 6 bytes {JMP QWORD [RIP+0x93720a4]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes JMP 0 .text C:\Windows\system32\services.exe[480] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes JMP 0 .text C:\Windows\system32\services.exe[480] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x46457c]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x443880]} .text C:\Windows\system32\services.exe[480] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 20000 .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes JMP 5d00 .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\system32\lsm.exe[760] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef02930 6 bytes JMP 2a71 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes JMP 18dd58 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x428abc]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP 2d0033 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x46457c]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x443880]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x42dca0]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x448abc]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP d28 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[1104] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 20000 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef02930 6 bytes {JMP QWORD [RIP+0x21d700]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x428abc]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x46457c]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x443880]} .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1264] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x2f9320]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 20000 .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1448] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 20000 .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\System32\svchost.exe[1496] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\System32\svchost.exe[1532] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes JMP 219318 .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 20000 .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes JMP b0a .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 20000 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef02930 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes JMP 8b6ec381 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x46457c]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes JMP f1eef1ee .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefdfc8f0c 6 bytes {JMP QWORD [RIP+0x1227124]} .text C:\Windows\system32\svchost.exe[1612] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe1e3214 6 bytes {JMP QWORD [RIP+0xfdce1c]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes JMP 27100352 .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\system32\svchost.exe[1708] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes JMP 300037 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 28] .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes JMP 1 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x2f9320]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 20000 .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef02930 6 bytes JMP 21d780 .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x428abc]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x46457c]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x443880]} .text C:\Windows\system32\svchost.exe[1988] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 1000100 .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x2f9320]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP 610072 .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\system32\taskhost.exe[1656] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\System32\svchost.exe[1808] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 20000 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP 690057 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes JMP 0 .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007732f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007732f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007732fb38 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007732fb3c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007732fcc0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007732fcc4 2 bytes [E1, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007732fd74 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007732fd78 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007732fdd8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007732fddc 2 bytes [D2, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007732fed0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007732fed4 2 bytes [C9, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007732ff84 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007732ff88 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007732ffb4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007732ffb8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077330014 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077330018 2 bytes [ED, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077330094 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077330098 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773300c4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773300c8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773303c8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773303cc 2 bytes [BA, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773303e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773303e4 2 bytes [FF, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077330560 3 bytes JMP 7103000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077330564 2 bytes JMP 7103000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000773306a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000773306a8 2 bytes [DE, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077330704 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077330708 2 bytes [F6, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773307ac 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773307b0 2 bytes [FC, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773307f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773307f8 2 bytes [F0, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077330884 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077330888 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007733089c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000773308a0 2 bytes [C6, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773308b4 3 bytes JMP 70be000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773308b8 2 bytes JMP 70be000a .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077330e04 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077330e08 2 bytes [DB, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077330ee8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077330eec 2 bytes [C3, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077331bf4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077331bf8 2 bytes [D8, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077331cc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077331cc8 2 bytes [E7, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077331d9c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077331da0 2 bytes [E4, 70] .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe[2136] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007734d2f6 6 bytes JMP 71a8000a .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 20000 .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\system32\Dwm.exe[2144] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 0 .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefdfc8f0c 6 bytes {JMP QWORD [RIP+0x1147124]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe1e3214 6 bytes {JMP QWORD [RIP+0xccce1c]} .text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes JMP 2f92b0 .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007732f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007732f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007732fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007732fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007732fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007732fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007732fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007732fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007732fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007732fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007732fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007732fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007732ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007732ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007732ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007732ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077330014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077330018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077330094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077330098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773300c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773300c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773303c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773303cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773303e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773303e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077330560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077330564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000773306a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000773306a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077330704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077330708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773307ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773307b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773307f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773307f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077330884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077330888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007733089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000773308a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773308b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773308b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077330e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077330e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077330ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077330eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077331bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077331bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077331cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077331cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077331d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077331da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007734d2f6 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076b13bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076b13bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076b19abc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076b23b7a 6 bytes JMP 717e000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076b2cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076b7ddde 6 bytes JMP 7184000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076b7de81 3 bytes JMP 7181000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 0000000076b7de85 2 bytes JMP 7181000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000753ef8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 00000000753f2e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a08332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a08bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a090d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a09679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a097d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a0ee21 6 bytes JMP 715d000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a0efe1 3 bytes JMP 710c000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a0efe5 2 bytes JMP 710c000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a112bd 6 bytes JMP 7151000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a12797 6 bytes JMP 7124000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a13ef0 3 bytes JMP 7118000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a13ef4 2 bytes JMP 7118000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a145cc 3 bytes JMP 711b000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a145d0 2 bytes JMP 711b000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a1460c 6 bytes JMP 7103000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a14713 6 bytes JMP 7121000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a147e5 3 bytes JMP 7127000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a147e9 2 bytes JMP 7127000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a14bbc 6 bytes JMP 7154000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a14d1d 6 bytes JMP 714e000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a171e0 6 bytes JMP 715a000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a171fe 6 bytes JMP 7148000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a17d59 6 bytes JMP 7109000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a181f5 6 bytes JMP 7160000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a1825a 6 bytes JMP 7133000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a182d2 6 bytes JMP 7139000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a18411 6 bytes JMP 7142000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a18f4c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a1cc1e 3 bytes JMP 7115000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a1cc22 2 bytes JMP 7115000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a2a072 6 bytes JMP 7130000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a2dbf5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a2ff2a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a2ff2e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076a49fa4 6 bytes JMP 710f000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076a51533 6 bytes JMP 7100000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076a6030f 6 bytes JMP 7166000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076a60353 6 bytes JMP 7169000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076a66d94 6 bytes JMP 713c000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076a66df5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076a67e6f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076a67e73 2 bytes JMP 7112000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076a68983 3 bytes JMP 711e000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076a68987 2 bytes JMP 711e000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074e858b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074e85ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074e87bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074e8b98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074e8bd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074e8cf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074e8e935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074eb4aa2 6 bytes JMP 716f000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c09670 6 bytes JMP 7178000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e0c509 6 bytes JMP 717b000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075039cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075691401 2 bytes JMP 76b2b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075691419 2 bytes JMP 76b2b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075691431 2 bytes JMP 76ba9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007569144a 2 bytes CALL 76b04885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756914dd 2 bytes JMP 76ba8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756914f5 2 bytes JMP 76ba8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007569150d 2 bytes JMP 76ba8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075691525 2 bytes JMP 76ba8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007569153d 2 bytes JMP 76b1fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075691555 2 bytes JMP 76b26907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007569156d 2 bytes JMP 76ba9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075691585 2 bytes JMP 76ba8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007569159d 2 bytes JMP 76ba88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756915b5 2 bytes JMP 76b1fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756915cd 2 bytes JMP 76b2b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756916b2 2 bytes JMP 76ba90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756916bd 2 bytes JMP 76ba8891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 240020 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\KERNEL32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe[2720] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 2e41 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x46dd50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x4cdca0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x4e8abc]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x427e3c]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x40780c]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x52457c]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x503880]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2768] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes JMP 0 .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007732f9f0 3 bytes JMP 71af000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007732f9f4 2 bytes JMP 71af000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007732fb38 3 bytes JMP 70bb000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007732fb3c 2 bytes JMP 70bb000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007732fcc0 3 bytes JMP 70dc000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007732fcc4 2 bytes JMP 70dc000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007732fd74 3 bytes JMP 70c7000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007732fd78 2 bytes JMP 70c7000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007732fdd8 3 bytes JMP 70cd000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007732fddc 2 bytes JMP 70cd000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007732fed0 3 bytes JMP 70c4000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007732fed4 2 bytes JMP 70c4000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007732ff84 3 bytes JMP 70f4000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007732ff88 2 bytes JMP 70f4000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007732ffb4 3 bytes JMP 70d0000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007732ffb8 2 bytes JMP 70d0000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077330014 3 bytes JMP 70e8000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077330018 2 bytes JMP 70e8000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077330094 3 bytes JMP 70e5000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077330098 2 bytes JMP 70e5000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773300c4 3 bytes JMP 70ca000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773300c8 2 bytes JMP 70ca000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773303c8 3 bytes JMP 70b5000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773303cc 2 bytes JMP 70b5000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773303e0 3 bytes JMP 70fa000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773303e4 2 bytes JMP 70fa000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077330560 3 bytes JMP 70fd000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077330564 2 bytes JMP 70fd000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000773306a4 3 bytes JMP 70d9000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000773306a8 2 bytes JMP 70d9000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077330704 3 bytes JMP 70f1000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077330708 2 bytes JMP 70f1000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773307ac 3 bytes JMP 70f7000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773307b0 2 bytes JMP 70f7000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773307f4 3 bytes JMP 70eb000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773307f8 2 bytes JMP 70eb000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077330884 3 bytes JMP 70ee000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077330888 2 bytes JMP 70ee000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007733089c 3 bytes JMP 70c1000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000773308a0 2 bytes JMP 70c1000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773308b4 3 bytes JMP 70b8000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773308b8 2 bytes JMP 70b8000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077330e04 3 bytes JMP 70d6000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077330e08 2 bytes JMP 70d6000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077330ee8 3 bytes JMP 70be000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077330eec 2 bytes JMP 70be000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077331bf4 3 bytes JMP 70d3000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077331bf8 2 bytes JMP 70d3000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077331cc4 3 bytes JMP 70e2000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077331cc8 2 bytes JMP 70e2000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077331d9c 3 bytes JMP 70df000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077331da0 2 bytes JMP 70df000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007734d2f6 6 bytes JMP 71a8000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076b13bbb 3 bytes JMP 719c000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076b13bbf 2 bytes JMP 719c000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076b19abc 6 bytes JMP 7187000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076b23b7a 6 bytes JMP 717e000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076b2cd11 6 bytes JMP 718a000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076b7ddde 6 bytes JMP 7184000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076b7de81 3 bytes JMP 7181000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 0000000076b7de85 2 bytes JMP 7181000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000753ef8a7 6 bytes JMP 719f000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 00000000753f2e0b 4 bytes CALL 71ac0000 .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a08332 6 bytes JMP 7157000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a08bff 6 bytes JMP 714b000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a090d3 6 bytes JMP 7106000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a09679 6 bytes JMP 7145000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a097d2 6 bytes JMP 713f000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a0ee21 6 bytes JMP 715d000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a0efe1 3 bytes JMP 710c000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a0efe5 2 bytes JMP 710c000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a112bd 6 bytes JMP 7151000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a12797 6 bytes JMP 7124000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a13ef0 3 bytes JMP 7118000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a13ef4 2 bytes JMP 7118000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a145cc 3 bytes JMP 711b000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a145d0 2 bytes JMP 711b000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a1460c 6 bytes JMP 7103000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a14713 6 bytes JMP 7121000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a147e5 3 bytes JMP 7127000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a147e9 2 bytes JMP 7127000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a14bbc 6 bytes JMP 7154000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a14d1d 6 bytes JMP 714e000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a171e0 6 bytes JMP 715a000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a171fe 6 bytes JMP 7148000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a17d59 6 bytes JMP 7109000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a181f5 6 bytes JMP 7160000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a1825a 6 bytes JMP 7133000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a182d2 6 bytes JMP 7139000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a18411 6 bytes JMP 7142000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a18f4c 6 bytes JMP 7163000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a1cc1e 3 bytes JMP 7115000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a1cc22 2 bytes JMP 7115000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a2a072 6 bytes JMP 7130000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a2dbf5 6 bytes JMP 712d000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a2ff2a 3 bytes JMP 712a000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a2ff2e 2 bytes JMP 712a000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076a49fa4 6 bytes JMP 710f000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076a51533 6 bytes JMP 7100000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076a6030f 6 bytes JMP 7166000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076a60353 6 bytes JMP 7169000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076a66d94 6 bytes JMP 713c000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076a66df5 6 bytes JMP 7136000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076a67e6f 3 bytes JMP 7112000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076a67e73 2 bytes JMP 7112000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076a68983 3 bytes JMP 711e000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076a68987 2 bytes JMP 711e000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074e858b3 6 bytes JMP 718d000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074e85ea5 6 bytes JMP 7175000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074e87bcc 6 bytes JMP 7196000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074e8b98a 6 bytes JMP 7190000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074e8bd7d 6 bytes JMP 716c000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074e8cf11 6 bytes JMP 7172000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074e8e935 6 bytes JMP 7193000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074eb4aa2 6 bytes JMP 716f000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075039cbb 6 bytes JMP 7199000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c09670 6 bytes JMP 7178000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e0c509 6 bytes JMP 717b000a .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075691401 2 bytes JMP 76b2b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075691419 2 bytes JMP 76b2b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075691431 2 bytes JMP 76ba9149 C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007569144a 2 bytes CALL 76b04885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756914dd 2 bytes JMP 76ba8a42 C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756914f5 2 bytes JMP 76ba8c18 C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007569150d 2 bytes JMP 76ba8938 C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075691525 2 bytes JMP 76ba8d02 C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007569153d 2 bytes JMP 76b1fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075691555 2 bytes JMP 76b26907 C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007569156d 2 bytes JMP 76ba9201 C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075691585 2 bytes JMP 76ba8d62 C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007569159d 2 bytes JMP 76ba88fc C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756915b5 2 bytes JMP 76b1fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756915cd 2 bytes JMP 76b2b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756916b2 2 bytes JMP 76ba90c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\MRC\AppData\Local\FluxSoftware\Flux\flux.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756916bd 2 bytes JMP 76ba8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007732f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007732f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007732fb38 3 bytes JMP 70b5000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007732fb3c 2 bytes JMP 70b5000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007732fcc0 3 bytes JMP 70d6000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007732fcc4 2 bytes JMP 70d6000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007732fd74 3 bytes JMP 70c1000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007732fd78 2 bytes JMP 70c1000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007732fdd8 3 bytes JMP 70c7000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007732fddc 2 bytes JMP 70c7000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007732fed0 3 bytes JMP 70be000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007732fed4 2 bytes JMP 70be000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007732ff84 3 bytes JMP 70ee000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007732ff88 2 bytes JMP 70ee000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007732ffb4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007732ffb8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077330014 3 bytes JMP 70e2000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077330018 2 bytes JMP 70e2000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077330094 3 bytes JMP 70df000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077330098 2 bytes JMP 70df000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773300c4 3 bytes JMP 70c4000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773300c8 2 bytes JMP 70c4000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773303c8 3 bytes JMP 70af000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773303cc 2 bytes JMP 70af000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773303e0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773303e4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077330560 3 bytes JMP 70f7000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077330564 2 bytes JMP 70f7000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000773306a4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000773306a8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077330704 3 bytes JMP 70eb000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077330708 2 bytes JMP 70eb000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773307ac 3 bytes JMP 70f1000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773307b0 2 bytes JMP 70f1000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773307f4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773307f8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077330884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077330888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007733089c 3 bytes JMP 70bb000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000773308a0 2 bytes JMP 70bb000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773308b4 3 bytes JMP 70b2000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773308b8 2 bytes JMP 70b2000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077330e04 3 bytes JMP 70d0000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077330e08 2 bytes JMP 70d0000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077330ee8 3 bytes JMP 70b8000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077330eec 2 bytes JMP 70b8000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077331bf4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077331bf8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077331cc4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077331cc8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077331d9c 3 bytes JMP 70d9000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077331da0 2 bytes JMP 70d9000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007734d2f6 6 bytes JMP 71a8000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076b13bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076b13bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076b19abc 6 bytes JMP 7181000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076b23b7a 6 bytes JMP 7178000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076b2cd11 6 bytes JMP 7184000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076b7ddde 6 bytes JMP 717e000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076b7de81 3 bytes JMP 717b000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 0000000076b7de85 2 bytes JMP 717b000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000753ef8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 00000000753f2e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a08332 6 bytes JMP 7151000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a08bff 6 bytes JMP 7145000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a090d3 6 bytes JMP 7100000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a09679 6 bytes JMP 713f000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a097d2 6 bytes JMP 7139000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a0ee21 6 bytes JMP 7157000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a0efe1 3 bytes JMP 7106000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a0efe5 2 bytes JMP 7106000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a112bd 6 bytes JMP 714b000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a12797 6 bytes JMP 711e000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a13ef0 3 bytes JMP 7112000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a13ef4 2 bytes JMP 7112000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a145cc 3 bytes JMP 7115000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a145d0 2 bytes JMP 7115000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a1460c 6 bytes JMP 70fd000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a14713 6 bytes JMP 711b000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a147e5 3 bytes JMP 7121000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a147e9 2 bytes JMP 7121000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a14bbc 6 bytes JMP 714e000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a14d1d 6 bytes JMP 7148000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a171e0 6 bytes JMP 7154000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a171fe 6 bytes JMP 7142000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a17d59 6 bytes JMP 7103000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a181f5 6 bytes JMP 715a000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a1825a 6 bytes JMP 712d000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a182d2 6 bytes JMP 7133000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a18411 6 bytes JMP 713c000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a18f4c 6 bytes JMP 715d000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a1cc1e 3 bytes JMP 710f000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a1cc22 2 bytes JMP 710f000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a2a072 6 bytes JMP 712a000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a2dbf5 6 bytes JMP 7127000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a2ff2a 3 bytes JMP 7124000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a2ff2e 2 bytes JMP 7124000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076a49fa4 6 bytes JMP 7109000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076a51533 6 bytes JMP 70fa000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076a6030f 6 bytes JMP 7160000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076a60353 6 bytes JMP 7163000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076a66d94 6 bytes JMP 7136000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076a66df5 6 bytes JMP 7130000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076a67e6f 3 bytes JMP 710c000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076a67e73 2 bytes JMP 710c000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076a68983 3 bytes JMP 7118000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076a68987 2 bytes JMP 7118000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074e858b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074e85ea5 6 bytes JMP 716f000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074e87bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074e8b98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074e8bd7d 6 bytes JMP 7166000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074e8cf11 6 bytes JMP 716c000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074e8e935 6 bytes JMP 7193000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074eb4aa2 6 bytes JMP 7169000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c09670 6 bytes JMP 7172000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e0c509 6 bytes JMP 7175000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075039cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075691401 2 bytes JMP 76b2b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075691419 2 bytes JMP 76b2b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075691431 2 bytes JMP 76ba9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007569144a 2 bytes CALL 76b04885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756914dd 2 bytes JMP 76ba8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756914f5 2 bytes JMP 76ba8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007569150d 2 bytes JMP 76ba8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075691525 2 bytes JMP 76ba8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007569153d 2 bytes JMP 76b1fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075691555 2 bytes JMP 76b26907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007569156d 2 bytes JMP 76ba9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075691585 2 bytes JMP 76ba8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007569159d 2 bytes JMP 76ba88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756915b5 2 bytes JMP 76b1fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756915cd 2 bytes JMP 76b2b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756916b2 2 bytes JMP 76ba90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756916bd 2 bytes JMP 76ba8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes JMP c741 .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes JMP 0 .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes JMP 0 .text C:\Program Files (x86)\KatMouse\KatMouse64.exe[3312] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007732f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007732f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007732fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007732fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007732fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007732fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007732fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007732fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007732fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007732fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007732fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007732fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007732ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007732ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007732ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007732ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077330014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077330018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077330094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077330098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773300c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773300c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773303c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773303cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773303e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773303e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077330560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077330564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000773306a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000773306a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077330704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077330708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773307ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773307b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773307f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773307f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077330884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077330888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007733089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000773308a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773308b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773308b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077330e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077330e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077330ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077330eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077331bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077331bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077331cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077331cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077331d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077331da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007734d2f6 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076b13bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076b13bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076b19abc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076b23b7a 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076b2cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076b7ddde 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076b7de81 3 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 0000000076b7de85 2 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000753ef8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 00000000753f2e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074e858b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074e85ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074e87bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074e8b98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074e8bd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074e8cf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074e8e935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074eb4aa2 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a08332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a08bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a090d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a09679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a097d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a0ee21 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a0efe1 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a0efe5 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a112bd 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a12797 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a13ef0 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a13ef4 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a145cc 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a145d0 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a1460c 6 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a14713 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a147e5 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a147e9 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a14bbc 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a14d1d 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a171e0 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a171fe 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a17d59 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a181f5 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a1825a 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a182d2 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a18411 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a18f4c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a1cc1e 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a1cc22 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a2a072 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a2dbf5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a2ff2a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a2ff2e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076a49fa4 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076a51533 6 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076a6030f 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076a60353 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076a66d94 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076a66df5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076a67e6f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076a67e73 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076a68983 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076a68987 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075039cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c09670 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e0c509 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075691401 2 bytes JMP 76b2b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075691419 2 bytes JMP 76b2b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075691431 2 bytes JMP 76ba9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007569144a 2 bytes CALL 76b04885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756914dd 2 bytes JMP 76ba8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756914f5 2 bytes JMP 76ba8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007569150d 2 bytes JMP 76ba8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075691525 2 bytes JMP 76ba8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007569153d 2 bytes JMP 76b1fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075691555 2 bytes JMP 76b26907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007569156d 2 bytes JMP 76ba9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075691585 2 bytes JMP 76ba8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007569159d 2 bytes JMP 76ba88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756915b5 2 bytes JMP 76b1fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756915cd 2 bytes JMP 76b2b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756916b2 2 bytes JMP 76ba90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756916bd 2 bytes JMP 76ba8891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\SearchIndexer.exe[4148] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes JMP 0 .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes JMP 0 .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes JMP c741 .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP 0 .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe[2276] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes JMP 18bfd0 .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes JMP 490020 .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x219320]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes JMP 0 .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes JMP 0 .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes JMP 0 .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes JMP 0 .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\system32\wuauclt.exe[3872] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\system32\wbem\wmiprvse.exe[5424] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes {JMP QWORD [RIP+0x8ea4210]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes {JMP QWORD [RIP+0x18dd50]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\GDI32.dll!BitBlt 000007fefed12390 6 bytes {JMP QWORD [RIP+0x3edca0]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes {JMP QWORD [RIP+0x408abc]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes {JMP QWORD [RIP+0x147e3c]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes {JMP QWORD [RIP+0x12780c]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes {JMP QWORD [RIP+0x1672b4]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes {JMP QWORD [RIP+0x44457c]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes {JMP QWORD [RIP+0x423880]} .text C:\Windows\system32\AUDIODG.EXE[2204] C:\Windows\System32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes JMP 0 .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077152280 6 bytes {JMP QWORD [RIP+0x8eeddb0]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007717be20 6 bytes JMP 0 .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007717bef0 6 bytes {JMP QWORD [RIP+0x96e4140]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007717bff0 6 bytes {JMP QWORD [RIP+0x9584040]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007717c060 6 bytes {JMP QWORD [RIP+0x9663fd0]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007717c0a0 6 bytes {JMP QWORD [RIP+0x9623f90]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007717c140 6 bytes {JMP QWORD [RIP+0x9683ef0]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007717c1b0 6 bytes {JMP QWORD [RIP+0x9483e80]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007717c1d0 6 bytes {JMP QWORD [RIP+0x9603e60]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007717c210 6 bytes {JMP QWORD [RIP+0x9503e20]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007717c260 6 bytes {JMP QWORD [RIP+0x9523dd0]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007717c280 6 bytes {JMP QWORD [RIP+0x9643db0]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 000000007717c470 6 bytes {JMP QWORD [RIP+0x9723bc0]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 000000007717c480 6 bytes {JMP QWORD [RIP+0x9443bb0]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007717c580 6 bytes {JMP QWORD [RIP+0x9423ab0]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 000000007717c650 6 bytes {JMP QWORD [RIP+0x95a39e0]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007717c690 6 bytes {JMP QWORD [RIP+0x94a39a0]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007717c700 6 bytes {JMP QWORD [RIP+0x9463930]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 000000007717c730 6 bytes {JMP QWORD [RIP+0x94e3900]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007717c790 6 bytes {JMP QWORD [RIP+0x94c38a0]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 000000007717c7a0 6 bytes {JMP QWORD [RIP+0x96a3890]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c7b0 6 bytes {JMP QWORD [RIP+0x9703880]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007717cb20 6 bytes {JMP QWORD [RIP+0x95c3510]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 000000007717cbb0 6 bytes {JMP QWORD [RIP+0x96c3480]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007717d420 6 bytes {JMP QWORD [RIP+0x95e2c10]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007717d4a0 6 bytes {JMP QWORD [RIP+0x9542b90]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007717d520 6 bytes {JMP QWORD [RIP+0x9562b10]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077021870 6 bytes {JMP QWORD [RIP+0x90de7c0]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007702dd20 6 bytes {JMP QWORD [RIP+0x9032310]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007709f6e0 6 bytes {JMP QWORD [RIP+0x9000950]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007709f710 6 bytes {JMP QWORD [RIP+0x9040920]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007709f8e0 6 bytes {JMP QWORD [RIP+0x8fe0750]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000770a5730 6 bytes {JMP QWORD [RIP+0x901a900]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd1a3a50 5 bytes [FF, 25, E0, C5, 0C] .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefed122e0 6 bytes JMP 0 .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\GDI32.dll!BitBlt 000007fefed12390 6 bytes JMP 0 .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefed17574 6 bytes JMP 0 .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefed181f4 6 bytes JMP 0 .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefed18824 6 bytes JMP 0 .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\GDI32.dll!GetPixel 000007fefed18d7c 6 bytes JMP 0 .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefed1bab4 6 bytes JMP 0 .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefed1c7b0 6 bytes JMP 0 .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefdfc8f0c 6 bytes {JMP QWORD [RIP+0x14e7124]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe1e3214 6 bytes {JMP QWORD [RIP+0x12ace1c]} .text G:\Pobrane\FRST64.exe[5204] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd5d6d10 6 bytes {JMP QWORD [RIP+0x2f9320]} .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007732f9f0 3 bytes JMP 71af000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007732f9f4 2 bytes JMP 71af000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007732fb38 3 bytes JMP 70c1000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007732fb3c 2 bytes JMP 70c1000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007732fcc0 3 bytes JMP 70e2000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007732fcc4 2 bytes JMP 70e2000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007732fd74 3 bytes JMP 70cd000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007732fd78 2 bytes JMP 70cd000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007732fdd8 3 bytes JMP 70d3000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007732fddc 2 bytes JMP 70d3000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007732fed0 3 bytes JMP 70ca000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007732fed4 2 bytes JMP 70ca000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007732ff84 3 bytes JMP 70fa000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007732ff88 2 bytes JMP 70fa000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007732ffb4 3 bytes JMP 70d6000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007732ffb8 2 bytes JMP 70d6000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077330014 3 bytes JMP 70ee000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077330018 2 bytes JMP 70ee000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077330094 3 bytes JMP 70eb000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077330098 2 bytes JMP 70eb000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773300c4 3 bytes JMP 70d0000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773300c8 2 bytes JMP 70d0000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773303c8 3 bytes JMP 70bb000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773303cc 2 bytes JMP 70bb000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773303e0 3 bytes JMP 7100000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773303e4 2 bytes JMP 7100000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077330560 3 bytes JMP 7103000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077330564 2 bytes JMP 7103000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000773306a4 3 bytes JMP 70df000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000773306a8 2 bytes JMP 70df000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077330704 3 bytes JMP 70f7000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077330708 2 bytes JMP 70f7000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773307ac 3 bytes JMP 70fd000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773307b0 2 bytes JMP 70fd000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773307f4 3 bytes JMP 70f1000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773307f8 2 bytes JMP 70f1000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077330884 3 bytes JMP 70f4000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077330888 2 bytes JMP 70f4000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007733089c 3 bytes JMP 70c7000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000773308a0 2 bytes JMP 70c7000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773308b4 3 bytes JMP 70be000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773308b8 2 bytes JMP 70be000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077330e04 3 bytes JMP 70dc000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077330e08 2 bytes JMP 70dc000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077330ee8 3 bytes JMP 70c4000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077330eec 2 bytes JMP 70c4000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077331bf4 3 bytes JMP 70d9000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077331bf8 2 bytes JMP 70d9000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077331cc4 3 bytes JMP 70e8000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077331cc8 2 bytes JMP 70e8000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077331d9c 3 bytes JMP 70e5000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077331da0 2 bytes JMP 70e5000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007734d2f6 6 bytes JMP 71a8000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076b13bbb 3 bytes JMP 719c000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076b13bbf 2 bytes JMP 719c000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076b19abc 6 bytes JMP 7187000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076b23b7a 6 bytes JMP 717e000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000076b2cd11 6 bytes JMP 718a000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 0000000076b7ddde 6 bytes JMP 7184000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 0000000076b7de81 3 bytes JMP 7181000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 0000000076b7de85 2 bytes JMP 7181000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000753ef8a7 6 bytes JMP 719f000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 00000000753f2e0b 4 bytes CALL 71ac0000 .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076a08332 6 bytes JMP 715d000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076a08bff 6 bytes JMP 7151000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076a090d3 6 bytes JMP 710c000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076a09679 6 bytes JMP 714b000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076a097d2 6 bytes JMP 7145000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076a0ee21 6 bytes JMP 7163000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076a0efe1 3 bytes JMP 7112000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076a0efe5 2 bytes JMP 7112000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076a112bd 6 bytes JMP 7157000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076a12797 6 bytes JMP 712a000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076a13ef0 3 bytes JMP 711e000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076a13ef4 2 bytes JMP 711e000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SetParent 0000000076a145cc 3 bytes JMP 7121000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076a145d0 2 bytes JMP 7121000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076a1460c 6 bytes JMP 7109000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076a14713 6 bytes JMP 7127000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076a147e5 3 bytes JMP 712d000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076a147e9 2 bytes JMP 712d000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076a14bbc 6 bytes JMP 715a000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076a14d1d 6 bytes JMP 7154000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076a171e0 6 bytes JMP 7160000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076a171fe 6 bytes JMP 714e000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076a17d59 6 bytes JMP 710f000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076a181f5 6 bytes JMP 7166000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076a1825a 6 bytes JMP 7139000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076a182d2 6 bytes JMP 713f000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076a18411 6 bytes JMP 7148000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076a18f4c 6 bytes JMP 7169000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076a1cc1e 3 bytes JMP 711b000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076a1cc22 2 bytes JMP 711b000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076a2a072 6 bytes JMP 7136000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076a2dbf5 6 bytes JMP 7133000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SendInput 0000000076a2ff2a 3 bytes JMP 7130000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076a2ff2e 2 bytes JMP 7130000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076a49fa4 6 bytes JMP 7115000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076a51533 6 bytes JMP 7106000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076a6030f 6 bytes JMP 716c000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076a60353 6 bytes JMP 716f000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076a66d94 6 bytes JMP 7142000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076a66df5 6 bytes JMP 713c000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076a67e6f 3 bytes JMP 7118000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076a67e73 2 bytes JMP 7118000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076a68983 3 bytes JMP 7124000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076a68987 2 bytes JMP 7124000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074e858b3 6 bytes JMP 718d000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074e85ea5 6 bytes JMP 717b000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074e87bcc 6 bytes JMP 7196000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074e8b98a 6 bytes JMP 7190000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074e8bd7d 6 bytes JMP 7172000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000074e8cf11 6 bytes JMP 7178000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074e8e935 6 bytes JMP 7193000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000074eb4aa2 6 bytes JMP 7175000a .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075691401 2 bytes JMP 76b2b233 C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075691419 2 bytes JMP 76b2b35e C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075691431 2 bytes JMP 76ba9149 C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007569144a 2 bytes CALL 76b04885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756914dd 2 bytes JMP 76ba8a42 C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756914f5 2 bytes JMP 76ba8c18 C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007569150d 2 bytes JMP 76ba8938 C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075691525 2 bytes JMP 76ba8d02 C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007569153d 2 bytes JMP 76b1fcc0 C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075691555 2 bytes JMP 76b26907 C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007569156d 2 bytes JMP 76ba9201 C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075691585 2 bytes JMP 76ba8d62 C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007569159d 2 bytes JMP 76ba88fc C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756915b5 2 bytes JMP 76b1fd59 C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756915cd 2 bytes JMP 76b2b2f4 C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756916b2 2 bytes JMP 76ba90c4 C:\Windows\syswow64\kernel32.dll .text G:\Pobrane\vjzkvv3z.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756916bd 2 bytes JMP 76ba8891 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.2 ----