GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-23 22:31:02 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 INTEL_SSDSC2BW120A4 rev.DC32 111,79GB Running: u12kom5p.exe; Driver: C:\Users\AZE\AppData\Local\Temp\kxldrpob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777bbbe0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777bbde0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777bbbe0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777bbde0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\services.exe[508] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe662930 6 bytes {JMP QWORD [RIP+0x12d700]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077556ee0 6 bytes {JMP QWORD [RIP+0x8ee9150]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077558164 6 bytes {JMP QWORD [RIP+0x8fc7ecc]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SetParent 0000000077558500 6 bytes {JMP QWORD [RIP+0x8f07b30]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077559bb0 6 bytes {JMP QWORD [RIP+0x8c66480]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!PostMessageA 000000007755a3d8 6 bytes {JMP QWORD [RIP+0x8ca5c58]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!EnableWindow 000000007755aa84 6 bytes {JMP QWORD [RIP+0x90055ac]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!MoveWindow 000000007755aab0 6 bytes {JMP QWORD [RIP+0x8f25580]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007755c6dc 6 bytes {JMP QWORD [RIP+0x8ec3954]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007755cd20 6 bytes {JMP QWORD [RIP+0x8fa3310]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007755d2b4 6 bytes {JMP QWORD [RIP+0x8ce2d7c]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SendMessageA 000000007755d33c 6 bytes {JMP QWORD [RIP+0x8d22cf4]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007755dc20 6 bytes {JMP QWORD [RIP+0x8e02410]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007755f4f0 6 bytes {JMP QWORD [RIP+0x8fe0b40]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007755f864 6 bytes {JMP QWORD [RIP+0x8c207cc]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007755fab0 6 bytes {JMP QWORD [RIP+0x8d80580]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077560b64 6 bytes {JMP QWORD [RIP+0x8cff4cc]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000077563380 6 bytes {JMP QWORD [RIP+0x8c7ccb0]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077564d3d 5 bytes {JMP QWORD [RIP+0x8c3b2f4]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!GetKeyState 0000000077564ff0 6 bytes {JMP QWORD [RIP+0x8e9b040]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077565428 6 bytes {JMP QWORD [RIP+0x8dbac08]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SendMessageW 0000000077566b60 6 bytes {JMP QWORD [RIP+0x8d394d0]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!PostMessageW 0000000077567724 6 bytes {JMP QWORD [RIP+0x8cb890c]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007756ddcc 6 bytes {JMP QWORD [RIP+0x8e32264]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!GetClipboardData 000000007756e884 6 bytes {JMP QWORD [RIP+0x8f717ac]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007756f7a0 6 bytes {JMP QWORD [RIP+0x8f30890]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000775728e4 6 bytes {JMP QWORD [RIP+0x8dcd74c]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!mouse_event 00000000775738a4 6 bytes {JMP QWORD [RIP+0x8bcc78c]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077578a10 6 bytes {JMP QWORD [RIP+0x8e67620]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077578bd8 6 bytes {JMP QWORD [RIP+0x8d47458]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077578c20 6 bytes {JMP QWORD [RIP+0x8be7410]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SendInput 0000000077578cd0 6 bytes {JMP QWORD [RIP+0x8e47360]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!BlockInput 000000007757ad50 6 bytes {JMP QWORD [RIP+0x8f452e0]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000775a1574 6 bytes {JMP QWORD [RIP+0x8fdeabc]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!keybd_event 00000000775c4650 6 bytes {JMP QWORD [RIP+0x8b5b9e0]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000775ccccc 6 bytes {JMP QWORD [RIP+0x8db3364]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000775cdfbc 6 bytes {JMP QWORD [RIP+0x8d32074]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\services.exe[508] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 3010061 .text C:\Windows\system32\services.exe[508] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes JMP e011b215 .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\lsass.exe[516] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes JMP 900000b7 .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[524] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe662930 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[668] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\nvwmi64.exe[732] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007796fb38 3 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007796fb3c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fcc0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fcc4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd74 3 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd78 2 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fdd8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fddc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fed0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fed4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007796ff84 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007796ff88 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ffb4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ffb8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077970014 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077970018 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970094 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970098 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779700c4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779700c8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779703c8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779703cc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779703e0 3 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779703e4 2 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077970560 3 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077970564 2 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779706a4 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779706a8 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077970704 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077970708 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779707ac 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779707b0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779707f4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779707f8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077970884 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077970888 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797089c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779708a0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779708b4 3 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779708b8 2 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970e04 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970e08 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970ee8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970eec 2 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971bf4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971bf8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971cc4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971cc8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d9c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971da0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007798c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000761e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000761e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000761e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000761f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000761fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007624dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007624de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075c02e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076145ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076147bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007614b98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007614bd7d 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007614cf11 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007614e935 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076174aaa 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077328342 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077328c0f 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773290e3 6 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077329689 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773297e2 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007732ee19 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007732efd9 3 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007732efdd 2 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773312b5 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007733292f 6 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SetParent 0000000077332d74 3 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077332d78 2 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077332db4 6 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000773336a8 3 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000773336ac 2 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077333bba 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077333c71 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077336120 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007733613e 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077336c40 6 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077337613 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077337678 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773376f0 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007733782f 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007733836c 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007733c4c6 3 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007733c4ca 2 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007734c122 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007734d109 6 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007734ebb6 6 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007734ec88 3 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007734ec8c 2 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SendInput 000000007734ff6a 3 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007734ff6e 2 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077369fdb 6 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007737156b 6 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!mouse_event 0000000077380343 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!keybd_event 0000000077380387 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077386dc4 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077386e25 6 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077387e9f 3 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077387ea3 2 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773889b3 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773889b7 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077411401 2 bytes JMP 761fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077411419 2 bytes JMP 761fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077411431 2 bytes JMP 762790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007741144a 2 bytes CALL 761d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774114dd 2 bytes JMP 762789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774114f5 2 bytes JMP 76278bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007741150d 2 bytes JMP 762788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077411525 2 bytes JMP 76278caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007741153d 2 bytes JMP 761efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077411555 2 bytes JMP 761f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007741156d 2 bytes JMP 762791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077411585 2 bytes JMP 76278d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007741159d 2 bytes JMP 762788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774115b5 2 bytes JMP 761efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774115cd 2 bytes JMP 761fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774116b2 2 bytes JMP 7627906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774116bd 2 bytes JMP 76278839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe662930 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes JMP 280073 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 4 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777bbcb0 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 1 byte JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 2 00000000777bc082 6 bytes {JMP 0xfffffffff8834090} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 10000100 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes JMP 740072 .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes JMP c7e9 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe662930 6 bytes {JMP QWORD [RIP+0x12d700]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefed48f30 6 bytes {JMP QWORD [RIP+0x12c7100]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefef63384 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\AUDIODG.EXE[1048] C:\Windows\System32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\nvwmi64.exe[1164] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe662930 6 bytes {JMP QWORD [RIP+0x12d700]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 330031 .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1316] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes JMP 0 .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 21] .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\WLANExt.exe[1400] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1412] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0x13dd50]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes JMP 6e0077 .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0xd781c]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0x1172c4]} .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1472] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\taskeng.exe[1484] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 6570975e .text C:\Windows\System32\svchost.exe[1692] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0x13dd50]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes JMP 0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x328abc]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xf7e4c]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0xd781c]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0x1172c4]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x36458c]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x343890]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1732] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1848] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes JMP 290036 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 23] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0x13dd50]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xf7e4c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0xd781c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0x1172c4]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2032] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes JMP 17 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes JMP 1f .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes JMP 7 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes JMP 1f69600 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes JMP 1 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes JMP 4d005c .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes JMP 1 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes JMP ed1dc8e0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes JMP 3898 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes JMP 47 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes JMP 1f .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes JMP 8e23a30 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes JMP 90c3c70 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes JMP ed1dc870 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes JMP ed1dc870 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes JMP 2d542 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes JMP 7 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes JMP 1f69600 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes JMP 1f69600 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes JMP 0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes JMP ed1dc2f0 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 23] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0x13dd50]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x30dca0]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x328abc]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xf7e4c]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0xd781c]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0x1172c4]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x36458c]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x343890]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe[1220] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes JMP 2c4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2072] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0x13dd50]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x30dca0]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x328abc]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes JMP 0 .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0xd781c]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0x1172c4]} .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 0 .text C:\Windows\system32\wbem\unsecapp.exe[2540] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x343890]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\taskhost.exe[2700] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0x13dd50]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x30dca0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x328abc]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xf7e4c]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0xd781c]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0x1172c4]} .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[2760] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0x13dd50]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x30dca0]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x328abc]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xf7e4c]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes JMP 0 .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0x1172c4]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x36458c]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x343890]} .text C:\Windows\System32\alg.exe[2956] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\Dwm.exe[2376] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefed48f30 5 bytes [FF, 25, 00, 71, D8] .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefef63384 6 bytes {JMP QWORD [RIP+0xb4ccac]} .text C:\Windows\Explorer.EXE[2828] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 0 .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes JMP 0 .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes JMP ffffffff .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes JMP 0 .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes JMP 6c015b .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes JMP 0 .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\System32\WUDFHost.exe[3168] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\System32\WUDFHost.exe[3432] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777bbcb0 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 8 bytes JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 8 bytes JMP 000000006fff00d8 .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f9f0 3 bytes JMP 71af000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f9f4 2 bytes JMP 71af000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007796fb38 3 bytes JMP 70bb000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007796fb3c 2 bytes JMP 70bb000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fcc0 3 bytes JMP 70dc000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fcc4 2 bytes JMP 70dc000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd74 3 bytes JMP 70c7000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd78 2 bytes JMP 70c7000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fdd8 3 bytes JMP 70cd000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fddc 2 bytes JMP 70cd000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fed0 3 bytes JMP 70c4000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fed4 2 bytes JMP 70c4000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007796ff84 3 bytes JMP 70f4000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007796ff88 2 bytes JMP 70f4000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ffb4 3 bytes JMP 70d0000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ffb8 2 bytes JMP 70d0000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077970014 3 bytes JMP 70e8000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077970018 2 bytes JMP 70e8000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970094 3 bytes JMP 70e5000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970098 2 bytes JMP 70e5000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779700c4 3 bytes JMP 70ca000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779700c8 2 bytes JMP 70ca000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779703c8 3 bytes JMP 70b5000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779703cc 2 bytes JMP 70b5000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779703e0 3 bytes JMP 70fa000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779703e4 2 bytes JMP 70fa000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077970560 3 bytes JMP 70fd000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077970564 2 bytes JMP 70fd000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779706a4 3 bytes JMP 70d9000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779706a8 2 bytes JMP 70d9000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077970704 3 bytes JMP 70f1000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077970708 2 bytes JMP 70f1000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779707ac 3 bytes JMP 70f7000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779707b0 2 bytes JMP 70f7000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779707f4 3 bytes JMP 70eb000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779707f8 2 bytes JMP 70eb000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077970884 3 bytes JMP 70ee000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077970888 2 bytes JMP 70ee000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797089c 3 bytes JMP 70c1000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779708a0 2 bytes JMP 70c1000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779708b4 3 bytes JMP 70b8000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779708b8 2 bytes JMP 70b8000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970e04 3 bytes JMP 70d6000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970e08 2 bytes JMP 70d6000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970ee8 3 bytes JMP 70be000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970eec 2 bytes JMP 70be000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971bf4 3 bytes JMP 70d3000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971bf8 2 bytes JMP 70d3000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971cc4 3 bytes JMP 70e2000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971cc8 2 bytes JMP 70e2000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d9c 3 bytes JMP 70df000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971da0 2 bytes JMP 70df000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007798c0f0 6 bytes JMP 71a8000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000761e3be3 3 bytes JMP 719c000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000761e3be7 2 bytes JMP 719c000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000761e9ae4 6 bytes JMP 7187000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000761f3baa 6 bytes JMP 717e000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000761fcd11 6 bytes JMP 718a000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007624dda6 6 bytes JMP 7184000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007624de49 6 bytes JMP 7181000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bff8a7 6 bytes JMP 719f000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075c02e0b 4 bytes CALL 71ac0000 .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077328342 6 bytes JMP 7157000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077328c0f 6 bytes JMP 714b000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773290e3 6 bytes JMP 7106000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077329689 6 bytes JMP 7145000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773297e2 6 bytes JMP 713f000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007732ee19 6 bytes JMP 715d000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007732efd9 3 bytes JMP 710c000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007732efdd 2 bytes JMP 710c000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773312b5 6 bytes JMP 7151000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007733292f 6 bytes JMP 7124000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SetParent 0000000077332d74 3 bytes JMP 711b000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077332d78 2 bytes JMP 711b000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077332db4 6 bytes JMP 7103000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000773336a8 3 bytes JMP 7118000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000773336ac 2 bytes JMP 7118000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077333bba 6 bytes JMP 7154000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077333c71 6 bytes JMP 714e000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077336120 6 bytes JMP 715a000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007733613e 6 bytes JMP 7148000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077336c40 6 bytes JMP 7109000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077337613 6 bytes JMP 7160000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077337678 6 bytes JMP 7133000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773376f0 6 bytes JMP 7139000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007733782f 6 bytes JMP 7142000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007733836c 6 bytes JMP 7163000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007733c4c6 3 bytes JMP 7115000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007733c4ca 2 bytes JMP 7115000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007734c122 6 bytes JMP 7130000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007734d109 6 bytes JMP 712d000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007734ebb6 6 bytes JMP 7121000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007734ec88 3 bytes JMP 7127000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007734ec8c 2 bytes JMP 7127000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SendInput 000000007734ff6a 3 bytes JMP 712a000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007734ff6e 2 bytes JMP 712a000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077369fdb 6 bytes JMP 710f000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007737156b 6 bytes JMP 7100000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!mouse_event 0000000077380343 6 bytes JMP 7166000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!keybd_event 0000000077380387 6 bytes JMP 7169000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077386dc4 6 bytes JMP 713c000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077386e25 6 bytes JMP 7136000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077387e9f 3 bytes JMP 7112000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077387ea3 2 bytes JMP 7112000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773889b3 3 bytes JMP 711e000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773889b7 2 bytes JMP 711e000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761458b3 6 bytes JMP 718d000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076145ea5 6 bytes JMP 7175000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076147bcc 6 bytes JMP 7196000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007614b98a 6 bytes JMP 7190000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007614bd7d 6 bytes JMP 716c000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007614cf11 6 bytes JMP 7172000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007614e935 6 bytes JMP 7193000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076174aaa 6 bytes JMP 716f000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076609630 6 bytes JMP 7178000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007680c8a9 6 bytes JMP 717b000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 7199000a .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077411401 2 bytes JMP 761fb263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077411419 2 bytes JMP 761fb38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077411431 2 bytes JMP 762790f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007741144a 2 bytes CALL 761d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774114dd 2 bytes JMP 762789ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774114f5 2 bytes JMP 76278bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007741150d 2 bytes JMP 762788e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077411525 2 bytes JMP 76278caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007741153d 2 bytes JMP 761efce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077411555 2 bytes JMP 761f6937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007741156d 2 bytes JMP 762791a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077411585 2 bytes JMP 76278d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007741159d 2 bytes JMP 762788a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774115b5 2 bytes JMP 761efd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774115cd 2 bytes JMP 761fb324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774116b2 2 bytes JMP 7627906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\PixArt\PAC7311\Monitor.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774116bd 2 bytes JMP 76278839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f9f0 3 bytes JMP 71af000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f9f4 2 bytes JMP 71af000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007796fb38 3 bytes JMP 70bb000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007796fb3c 2 bytes JMP 70bb000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fcc0 3 bytes JMP 70dc000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fcc4 2 bytes JMP 70dc000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd74 3 bytes JMP 70c7000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd78 2 bytes JMP 70c7000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fdd8 3 bytes JMP 70cd000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fddc 2 bytes JMP 70cd000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fed0 3 bytes JMP 70c4000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fed4 2 bytes JMP 70c4000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007796ff84 3 bytes JMP 70f4000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007796ff88 2 bytes JMP 70f4000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ffb4 3 bytes JMP 70d0000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ffb8 2 bytes JMP 70d0000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077970014 3 bytes JMP 70e8000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077970018 2 bytes JMP 70e8000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970094 3 bytes JMP 70e5000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970098 2 bytes JMP 70e5000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779700c4 3 bytes JMP 70ca000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779700c8 2 bytes JMP 70ca000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779703c8 3 bytes JMP 70b5000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779703cc 2 bytes JMP 70b5000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779703e0 3 bytes JMP 70fa000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779703e4 2 bytes JMP 70fa000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077970560 3 bytes JMP 70fd000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077970564 2 bytes JMP 70fd000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779706a4 3 bytes JMP 70d9000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779706a8 2 bytes JMP 70d9000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077970704 3 bytes JMP 70f1000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077970708 2 bytes JMP 70f1000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779707ac 3 bytes JMP 70f7000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779707b0 2 bytes JMP 70f7000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779707f4 3 bytes JMP 70eb000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779707f8 2 bytes JMP 70eb000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077970884 3 bytes JMP 70ee000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077970888 2 bytes JMP 70ee000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797089c 3 bytes JMP 70c1000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779708a0 2 bytes JMP 70c1000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779708b4 3 bytes JMP 70b8000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779708b8 2 bytes JMP 70b8000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970e04 3 bytes JMP 70d6000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970e08 2 bytes JMP 70d6000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970ee8 3 bytes JMP 70be000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970eec 2 bytes JMP 70be000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971bf4 3 bytes JMP 70d3000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971bf8 2 bytes JMP 70d3000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971cc4 3 bytes JMP 70e2000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971cc8 2 bytes JMP 70e2000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d9c 3 bytes JMP 70df000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971da0 2 bytes JMP 70df000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007798c0f0 6 bytes JMP 71a8000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000761e3be3 3 bytes JMP 719c000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000761e3be7 2 bytes JMP 719c000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000761e9ae4 6 bytes JMP 7187000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000761f3baa 6 bytes JMP 717e000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000761fcd11 6 bytes JMP 718a000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007624dda6 6 bytes JMP 7184000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007624de49 6 bytes JMP 7181000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bff8a7 6 bytes JMP 719f000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075c02e0b 4 bytes CALL 71ac0000 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076609630 6 bytes JMP 7178000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007680c8a9 6 bytes JMP 717b000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761458b3 6 bytes JMP 718d000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076145ea5 6 bytes JMP 7175000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076147bcc 6 bytes JMP 7196000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007614b98a 6 bytes JMP 7190000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007614bd7d 6 bytes JMP 716c000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007614cf11 6 bytes JMP 7172000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007614e935 6 bytes JMP 7193000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076174aaa 6 bytes JMP 716f000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077328342 6 bytes JMP 7157000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077328c0f 6 bytes JMP 714b000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773290e3 6 bytes JMP 7106000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077329689 6 bytes JMP 7145000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773297e2 6 bytes JMP 713f000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007732ee19 6 bytes JMP 715d000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007732efd9 3 bytes JMP 710c000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007732efdd 2 bytes JMP 710c000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773312b5 6 bytes JMP 7151000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007733292f 6 bytes JMP 7124000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SetParent 0000000077332d74 3 bytes JMP 711b000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077332d78 2 bytes JMP 711b000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077332db4 6 bytes JMP 7103000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000773336a8 3 bytes JMP 7118000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000773336ac 2 bytes JMP 7118000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077333bba 6 bytes JMP 7154000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077333c71 6 bytes JMP 714e000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077336120 6 bytes JMP 715a000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007733613e 6 bytes JMP 7148000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077336c40 6 bytes JMP 7109000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077337613 6 bytes JMP 7160000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077337678 6 bytes JMP 7133000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773376f0 6 bytes JMP 7139000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007733782f 6 bytes JMP 7142000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007733836c 6 bytes JMP 7163000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007733c4c6 3 bytes JMP 7115000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007733c4ca 2 bytes JMP 7115000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007734c122 6 bytes JMP 7130000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007734d109 6 bytes JMP 712d000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007734ebb6 6 bytes JMP 7121000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007734ec88 3 bytes JMP 7127000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007734ec8c 2 bytes JMP 7127000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SendInput 000000007734ff6a 3 bytes JMP 712a000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007734ff6e 2 bytes JMP 712a000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077369fdb 6 bytes JMP 710f000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007737156b 6 bytes JMP 7100000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!mouse_event 0000000077380343 6 bytes JMP 7166000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!keybd_event 0000000077380387 6 bytes JMP 7169000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077386dc4 6 bytes JMP 713c000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077386e25 6 bytes JMP 7136000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077387e9f 3 bytes JMP 7112000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077387ea3 2 bytes JMP 7112000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773889b3 3 bytes JMP 711e000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773889b7 2 bytes JMP 711e000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 7199000a .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077411401 2 bytes JMP 761fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077411419 2 bytes JMP 761fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077411431 2 bytes JMP 762790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007741144a 2 bytes CALL 761d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774114dd 2 bytes JMP 762789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774114f5 2 bytes JMP 76278bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007741150d 2 bytes JMP 762788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077411525 2 bytes JMP 76278caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007741153d 2 bytes JMP 761efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077411555 2 bytes JMP 761f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007741156d 2 bytes JMP 762791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077411585 2 bytes JMP 76278d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007741159d 2 bytes JMP 762788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774115b5 2 bytes JMP 761efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774115cd 2 bytes JMP 761fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774116b2 2 bytes JMP 7627906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3708] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774116bd 2 bytes JMP 76278839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes JMP 27b144 .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\taskeng.exe[3932] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007796fb38 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007796fb3c 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fcc0 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fcc4 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd74 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd78 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fdd8 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fddc 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fed0 3 bytes JMP 70be000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fed4 2 bytes JMP 70be000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007796ff84 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007796ff88 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ffb4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ffb8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077970014 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077970018 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970094 3 bytes JMP 70df000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970098 2 bytes JMP 70df000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779700c4 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779700c8 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779703c8 3 bytes JMP 70af000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779703cc 2 bytes JMP 70af000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779703e0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779703e4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077970560 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077970564 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779706a4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779706a8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077970704 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077970708 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779707ac 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779707b0 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779707f4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779707f8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077970884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077970888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797089c 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779708a0 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779708b4 3 bytes JMP 70b2000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779708b8 2 bytes JMP 70b2000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970e04 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970e08 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970ee8 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970eec 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971bf4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971bf8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971cc4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971cc8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d9c 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971da0 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007798c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000761e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000761e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000761e9ae4 6 bytes JMP 7181000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000761f3baa 6 bytes JMP 7178000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000761fcd11 6 bytes JMP 7184000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007624dda6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007624de49 6 bytes JMP 717b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075c02e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761458b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076145ea5 6 bytes JMP 716f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076147bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007614b98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007614bd7d 6 bytes JMP 7166000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007614cf11 6 bytes JMP 716c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007614e935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076174aaa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077328342 6 bytes JMP 7151000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077328c0f 6 bytes JMP 7145000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773290e3 6 bytes JMP 7100000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077329689 6 bytes JMP 713f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773297e2 6 bytes JMP 7139000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007732ee19 6 bytes JMP 7157000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007732efd9 3 bytes JMP 7106000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007732efdd 2 bytes JMP 7106000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773312b5 6 bytes JMP 714b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007733292f 6 bytes JMP 711e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SetParent 0000000077332d74 3 bytes JMP 7115000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077332d78 2 bytes JMP 7115000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077332db4 6 bytes JMP 70fd000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000773336a8 3 bytes JMP 7112000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000773336ac 2 bytes JMP 7112000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077333bba 6 bytes JMP 714e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077333c71 6 bytes JMP 7148000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077336120 6 bytes JMP 7154000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007733613e 6 bytes JMP 7142000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077336c40 6 bytes JMP 7103000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077337613 6 bytes JMP 715a000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077337678 6 bytes JMP 712d000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773376f0 6 bytes JMP 7133000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007733782f 6 bytes JMP 713c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007733836c 6 bytes JMP 715d000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007733c4c6 3 bytes JMP 710f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007733c4ca 2 bytes JMP 710f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007734c122 6 bytes JMP 712a000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007734d109 6 bytes JMP 7127000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007734ebb6 6 bytes JMP 711b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007734ec88 3 bytes JMP 7121000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007734ec8c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SendInput 000000007734ff6a 3 bytes JMP 7124000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007734ff6e 2 bytes JMP 7124000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077369fdb 6 bytes JMP 7109000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007737156b 6 bytes JMP 70fa000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!mouse_event 0000000077380343 6 bytes JMP 7160000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!keybd_event 0000000077380387 6 bytes JMP 7163000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077386dc4 6 bytes JMP 7136000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077386e25 6 bytes JMP 7130000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077387e9f 3 bytes JMP 710c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077387ea3 2 bytes JMP 710c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773889b3 3 bytes JMP 7118000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773889b7 2 bytes JMP 7118000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\shell32.dll!SHFileOperationW 0000000076609630 6 bytes JMP 7172000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\shell32.dll!SHFileOperation 000000007680c8a9 6 bytes JMP 7175000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077411401 2 bytes JMP 761fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077411419 2 bytes JMP 761fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077411431 2 bytes JMP 762790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007741144a 2 bytes CALL 761d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774114dd 2 bytes JMP 762789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774114f5 2 bytes JMP 76278bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007741150d 2 bytes JMP 762788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077411525 2 bytes JMP 76278caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007741153d 2 bytes JMP 761efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077411555 2 bytes JMP 761f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007741156d 2 bytes JMP 762791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077411585 2 bytes JMP 76278d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007741159d 2 bytes JMP 762788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774115b5 2 bytes JMP 761efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774115cd 2 bytes JMP 761fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774116b2 2 bytes JMP 7627906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774116bd 2 bytes JMP 76278839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 1003e .text C:\Windows\servicing\TrustedInstaller.exe[1356] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 6570975e .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077792170 6 bytes {JMP QWORD [RIP+0x88adec0]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777bbc20 6 bytes {JMP QWORD [RIP+0x8864410]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777bbcf0 6 bytes {JMP QWORD [RIP+0x90a4340]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777bbdf0 6 bytes {JMP QWORD [RIP+0x8f44240]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777bbe60 6 bytes {JMP QWORD [RIP+0x90241d0]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777bbea0 6 bytes {JMP QWORD [RIP+0x8fe4190]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777bbf40 6 bytes {JMP QWORD [RIP+0x90440f0]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777bbfb0 6 bytes {JMP QWORD [RIP+0x8e44080]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777bbfd0 6 bytes {JMP QWORD [RIP+0x8fc4060]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777bc010 6 bytes {JMP QWORD [RIP+0x8ec4020]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777bc060 6 bytes {JMP QWORD [RIP+0x8ee3fd0]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777bc080 6 bytes {JMP QWORD [RIP+0x9003fb0]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777bc270 6 bytes {JMP QWORD [RIP+0x90e3dc0]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777bc280 6 bytes {JMP QWORD [RIP+0x8e03db0]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777bc380 6 bytes {JMP QWORD [RIP+0x8de3cb0]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777bc450 6 bytes {JMP QWORD [RIP+0x8f63be0]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777bc490 6 bytes {JMP QWORD [RIP+0x8e63ba0]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777bc500 6 bytes {JMP QWORD [RIP+0x8e23b30]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777bc530 6 bytes {JMP QWORD [RIP+0x8ea3b00]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777bc590 6 bytes {JMP QWORD [RIP+0x8e83aa0]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777bc5a0 6 bytes {JMP QWORD [RIP+0x9063a90]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777bc5b0 6 bytes {JMP QWORD [RIP+0x90c3a80]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777bc920 6 bytes {JMP QWORD [RIP+0x8f83710]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777bc9b0 6 bytes {JMP QWORD [RIP+0x9083680]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777bd220 6 bytes {JMP QWORD [RIP+0x8fa2e10]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777bd2a0 6 bytes {JMP QWORD [RIP+0x8f02d90]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777bd320 6 bytes {JMP QWORD [RIP+0x8f22d10]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes {JMP QWORD [RIP+0x10dca0]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes JMP 65006d .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes JMP 40a .text C:\Windows\system32\SearchIndexer.exe[3684] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007796fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007796fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007796ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007796ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077970014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077970018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779700c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779700c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779703c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779703cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779703e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779703e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077970560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077970564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779706a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779706a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077970704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077970708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779707ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779707b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779707f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779707f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077970884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077970888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779708a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779708b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779708b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007798c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000761e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000761e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000761e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000761f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000761fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007624dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007624de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075c02e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077328342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077328c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773290e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077329689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773297e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007732ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007732efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007732efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773312b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007733292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SetParent 0000000077332d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077332d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077332db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000773336a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000773336ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077333bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077333c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077336120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007733613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077336c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077337613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077337678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773376f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007733782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007733836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007733c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007733c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007734c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007734d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007734ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007734ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007734ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SendInput 000000007734ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007734ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077369fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007737156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!mouse_event 0000000077380343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!keybd_event 0000000077380387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077386dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077386e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077387e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077387ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773889b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773889b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076145ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076147bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007614b98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007614bd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007614cf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007614e935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076174aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076609630 6 bytes JMP 7178000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007680c8a9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077411401 2 bytes JMP 761fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077411419 2 bytes JMP 761fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077411431 2 bytes JMP 762790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007741144a 2 bytes CALL 761d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774114dd 2 bytes JMP 762789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774114f5 2 bytes JMP 76278bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007741150d 2 bytes JMP 762788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077411525 2 bytes JMP 76278caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007741153d 2 bytes JMP 761efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077411555 2 bytes JMP 761f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007741156d 2 bytes JMP 762791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077411585 2 bytes JMP 76278d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007741159d 2 bytes JMP 762788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774115b5 2 bytes JMP 761efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774115cd 2 bytes JMP 761fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774116b2 2 bytes JMP 7627906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774116bd 2 bytes JMP 76278839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007796fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007796fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007796ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007796ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077970014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077970018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779700c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779700c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779703c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779703cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779703e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779703e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077970560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077970564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779706a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779706a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077970704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077970708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779707ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779707b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779707f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779707f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077970884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077970888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779708a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779708b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779708b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007798c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000761e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000761e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000761e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000761f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000761fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007624dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007624de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075c02e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077328342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077328c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773290e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077329689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773297e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007732ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007732efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007732efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773312b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007733292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SetParent 0000000077332d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077332d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077332db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000773336a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000773336ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077333bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077333c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077336120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007733613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077336c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077337613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077337678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773376f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007733782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007733836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007733c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007733c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007734c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007734d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007734ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007734ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007734ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SendInput 000000007734ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007734ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077369fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007737156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!mouse_event 0000000077380343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!keybd_event 0000000077380387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077386dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077386e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077387e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077387ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773889b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773889b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076145ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076147bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007614b98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007614bd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007614cf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007614e935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076174aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076609630 6 bytes JMP 7178000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007680c8a9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077411401 2 bytes JMP 761fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077411419 2 bytes JMP 761fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077411431 2 bytes JMP 762790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007741144a 2 bytes CALL 761d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774114dd 2 bytes JMP 762789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774114f5 2 bytes JMP 76278bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007741150d 2 bytes JMP 762788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077411525 2 bytes JMP 76278caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007741153d 2 bytes JMP 761efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077411555 2 bytes JMP 761f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007741156d 2 bytes JMP 762791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077411585 2 bytes JMP 76278d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007741159d 2 bytes JMP 762788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774115b5 2 bytes JMP 761efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774115cd 2 bytes JMP 761fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774116b2 2 bytes JMP 7627906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774116bd 2 bytes JMP 76278839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007796fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007796fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007796ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007796ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077970014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077970018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779700c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779700c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779703c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779703cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779703e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779703e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077970560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077970564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779706a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779706a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077970704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077970708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779707ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779707b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779707f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779707f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077970884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077970888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779708a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779708b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779708b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007798c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000761e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000761e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000761e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000761f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000761fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007624dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007624de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075c02e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077328342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077328c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773290e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077329689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773297e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007732ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007732efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007732efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773312b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007733292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SetParent 0000000077332d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077332d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077332db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000773336a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000773336ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077333bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077333c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077336120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007733613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077336c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077337613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077337678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773376f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007733782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007733836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007733c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007733c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007734c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007734d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007734ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007734ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007734ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SendInput 000000007734ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007734ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077369fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007737156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!mouse_event 0000000077380343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!keybd_event 0000000077380387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077386dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077386e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077387e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077387ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773889b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773889b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076145ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076147bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007614b98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007614bd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007614cf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007614e935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076174aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076609630 6 bytes JMP 7178000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007680c8a9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077411401 2 bytes JMP 761fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077411419 2 bytes JMP 761fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077411431 2 bytes JMP 762790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007741144a 2 bytes CALL 761d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774114dd 2 bytes JMP 762789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774114f5 2 bytes JMP 76278bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007741150d 2 bytes JMP 762788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077411525 2 bytes JMP 76278caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007741153d 2 bytes JMP 761efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077411555 2 bytes JMP 761f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007741156d 2 bytes JMP 762791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077411585 2 bytes JMP 76278d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007741159d 2 bytes JMP 762788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774115b5 2 bytes JMP 761efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774115cd 2 bytes JMP 761fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774116b2 2 bytes JMP 7627906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774116bd 2 bytes JMP 76278839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077661860 6 bytes {JMP QWORD [RIP+0x8a9e7d0]} .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007766dbf0 6 bytes {JMP QWORD [RIP+0x89f2440]} .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776df6d0 6 bytes {JMP QWORD [RIP+0x89c0960]} .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776df700 6 bytes {JMP QWORD [RIP+0x8a00930]} .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776df8d0 6 bytes {JMP QWORD [RIP+0x89a0760]} .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000776e5720 6 bytes {JMP QWORD [RIP+0x89da910]} .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd503a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdc022e0 6 bytes {JMP QWORD [RIP+0xedd50]} .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdc02390 6 bytes JMP 1a47b0 .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdc07574 6 bytes {JMP QWORD [RIP+0x128abc]} .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdc081e4 6 bytes {JMP QWORD [RIP+0xa7e4c]} .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdc08814 6 bytes {JMP QWORD [RIP+0x8781c]} .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdc08d6c 6 bytes {JMP QWORD [RIP+0xc72c4]} .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdc0baa4 6 bytes {JMP QWORD [RIP+0x31458c]} .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdc0c7a0 6 bytes {JMP QWORD [RIP+0x143890]} .text C:\Windows\system32\SearchProtocolHost.exe[4132] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe336d10 6 bytes {JMP QWORD [RIP+0x439320]} .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007796fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007796fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007796ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007796ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077970014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077970018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779700c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779700c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779703c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779703cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779703e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779703e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077970560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077970564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779706a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779706a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077970704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077970708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779707ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779707b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779707f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779707f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077970884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077970888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779708a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779708b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779708b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007798c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000761e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000761e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000761e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000761f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000761fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007624dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007624de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075c02e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076145ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076147bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007614b98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007614bd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007614cf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007614e935 6 bytes JMP 7193000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076174aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077328342 6 bytes JMP 7157000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077328c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773290e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077329689 6 bytes JMP 7145000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773297e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007732ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007732efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007732efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773312b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007733292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SetParent 0000000077332d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077332d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077332db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000773336a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000773336ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077333bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077333c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077336120 6 bytes JMP 715a000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007733613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077336c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077337613 6 bytes JMP 7160000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077337678 6 bytes JMP 7133000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773376f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007733782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007733836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007733c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007733c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007734c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007734d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007734ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007734ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007734ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SendInput 000000007734ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007734ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077369fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007737156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!mouse_event 0000000077380343 6 bytes JMP 7166000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!keybd_event 0000000077380387 6 bytes JMP 7169000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077386dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077386e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077387e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077387ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773889b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773889b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076609630 6 bytes JMP 7178000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007680c8a9 6 bytes JMP 717b000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077411401 2 bytes JMP 761fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077411419 2 bytes JMP 761fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077411431 2 bytes JMP 762790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007741144a 2 bytes CALL 761d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774114dd 2 bytes JMP 762789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774114f5 2 bytes JMP 76278bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007741150d 2 bytes JMP 762788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077411525 2 bytes JMP 76278caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007741153d 2 bytes JMP 761efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077411555 2 bytes JMP 761f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007741156d 2 bytes JMP 762791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077411585 2 bytes JMP 76278d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007741159d 2 bytes JMP 762788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774115b5 2 bytes JMP 761efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774115cd 2 bytes JMP 761fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774116b2 2 bytes JMP 7627906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[4152] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774116bd 2 bytes JMP 76278839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007796fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007796fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007796ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007796ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077970014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077970018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779700c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779700c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779703c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779703cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779703e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779703e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077970560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077970564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779706a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779706a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077970704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077970708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779707ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779707b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779707f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779707f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077970884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077970888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779708a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779708b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779708b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007798c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000761e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000761e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000761e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000761f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000761fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007624dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007624de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075c02e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077328342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077328c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773290e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077329689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773297e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007732ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007732efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007732efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773312b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007733292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SetParent 0000000077332d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077332d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077332db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000773336a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000773336ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077333bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077333c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077336120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007733613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077336c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077337613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077337678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773376f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007733782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007733836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007733c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007733c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007734c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007734d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007734ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007734ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007734ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SendInput 000000007734ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007734ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077369fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007737156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!mouse_event 0000000077380343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!keybd_event 0000000077380387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077386dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077386e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077387e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077387ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773889b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773889b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076145ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076147bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007614b98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007614bd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007614cf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007614e935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076174aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076609630 6 bytes JMP 7178000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007680c8a9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077411401 2 bytes JMP 761fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077411419 2 bytes JMP 761fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077411431 2 bytes JMP 762790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007741144a 2 bytes CALL 761d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774114dd 2 bytes JMP 762789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774114f5 2 bytes JMP 76278bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007741150d 2 bytes JMP 762788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077411525 2 bytes JMP 76278caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007741153d 2 bytes JMP 761efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077411555 2 bytes JMP 761f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007741156d 2 bytes JMP 762791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077411585 2 bytes JMP 76278d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007741159d 2 bytes JMP 762788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774115b5 2 bytes JMP 761efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774115cd 2 bytes JMP 761fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774116b2 2 bytes JMP 7627906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774116bd 2 bytes JMP 76278839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007796fb38 3 bytes JMP 70b5000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007796fb3c 2 bytes JMP 70b5000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fcc0 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fcc4 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd74 3 bytes JMP 70c1000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd78 2 bytes JMP 70c1000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fdd8 3 bytes JMP 70c7000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fddc 2 bytes JMP 70c7000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fed0 3 bytes JMP 70be000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fed4 2 bytes JMP 70be000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007796ff84 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007796ff88 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ffb4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ffb8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077970014 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077970018 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970094 3 bytes JMP 70df000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970098 2 bytes JMP 70df000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779700c4 3 bytes JMP 70c4000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779700c8 2 bytes JMP 70c4000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779703c8 3 bytes JMP 70af000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779703cc 2 bytes JMP 70af000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779703e0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779703e4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077970560 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077970564 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779706a4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779706a8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077970704 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077970708 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779707ac 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779707b0 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779707f4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779707f8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077970884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077970888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797089c 3 bytes JMP 70bb000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779708a0 2 bytes JMP 70bb000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779708b4 3 bytes JMP 70b2000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779708b8 2 bytes JMP 70b2000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970e04 3 bytes JMP 70d0000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970e08 2 bytes JMP 70d0000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970ee8 3 bytes JMP 70b8000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970eec 2 bytes JMP 70b8000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971bf4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971bf8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971cc4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971cc8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d9c 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971da0 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007798c0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000761e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000761e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000761e9ae4 6 bytes JMP 7181000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000761f3baa 6 bytes JMP 7178000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000761fcd11 6 bytes JMP 7184000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007624dda6 6 bytes JMP 717e000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007624de49 6 bytes JMP 717b000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075c02e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761458b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076145ea5 6 bytes JMP 716f000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076147bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007614b98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007614bd7d 6 bytes JMP 7166000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007614cf11 6 bytes JMP 716c000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007614e935 6 bytes JMP 7193000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076174aaa 6 bytes JMP 7169000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077328342 6 bytes JMP 7151000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077328c0f 6 bytes JMP 7145000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773290e3 6 bytes JMP 7100000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077329689 6 bytes JMP 713f000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773297e2 6 bytes JMP 7139000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007732ee19 6 bytes JMP 7157000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007732efd9 3 bytes JMP 7106000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007732efdd 2 bytes JMP 7106000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773312b5 6 bytes JMP 714b000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007733292f 6 bytes JMP 711e000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SetParent 0000000077332d74 3 bytes JMP 7115000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077332d78 2 bytes JMP 7115000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077332db4 6 bytes JMP 70fd000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000773336a8 3 bytes JMP 7112000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000773336ac 2 bytes JMP 7112000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077333bba 6 bytes JMP 714e000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077333c71 6 bytes JMP 7148000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077336120 6 bytes JMP 7154000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007733613e 6 bytes JMP 7142000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077336c40 6 bytes JMP 7103000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077337613 6 bytes JMP 715a000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077337678 6 bytes JMP 712d000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773376f0 6 bytes JMP 7133000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007733782f 6 bytes JMP 713c000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007733836c 6 bytes JMP 715d000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007733c4c6 3 bytes JMP 710f000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007733c4ca 2 bytes JMP 710f000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007734c122 6 bytes JMP 712a000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007734d109 6 bytes JMP 7127000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007734ebb6 6 bytes JMP 711b000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007734ec88 3 bytes JMP 7121000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007734ec8c 2 bytes JMP 7121000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SendInput 000000007734ff6a 3 bytes JMP 7124000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007734ff6e 2 bytes JMP 7124000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077369fdb 6 bytes JMP 7109000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007737156b 6 bytes JMP 70fa000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!mouse_event 0000000077380343 6 bytes JMP 7160000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!keybd_event 0000000077380387 6 bytes JMP 7163000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077386dc4 6 bytes JMP 7136000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077386e25 6 bytes JMP 7130000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077387e9f 3 bytes JMP 710c000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077387ea3 2 bytes JMP 710c000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773889b3 3 bytes JMP 7118000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773889b7 2 bytes JMP 7118000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076609630 6 bytes JMP 7172000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007680c8a9 6 bytes JMP 7175000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075359cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077411401 2 bytes JMP 761fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077411419 2 bytes JMP 761fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077411431 2 bytes JMP 762790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007741144a 2 bytes CALL 761d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774114dd 2 bytes JMP 762789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774114f5 2 bytes JMP 76278bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007741150d 2 bytes JMP 762788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077411525 2 bytes JMP 76278caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007741153d 2 bytes JMP 761efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077411555 2 bytes JMP 761f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007741156d 2 bytes JMP 762791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077411585 2 bytes JMP 76278d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007741159d 2 bytes JMP 762788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774115b5 2 bytes JMP 761efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774115cd 2 bytes JMP 761fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774116b2 2 bytes JMP 7627906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[4436] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774116bd 2 bytes JMP 76278839 C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f9f0 3 bytes JMP 71af000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007796f9f4 2 bytes JMP 71af000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007796fb38 3 bytes JMP 70c1000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007796fb3c 2 bytes JMP 70c1000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007796fcc0 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007796fcc4 2 bytes [E1, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd74 3 bytes JMP 70cd000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007796fd78 2 bytes JMP 70cd000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fdd8 3 bytes JMP 70d3000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007796fddc 2 bytes JMP 70d3000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007796fed0 3 bytes JMP 70ca000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007796fed4 2 bytes JMP 70ca000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007796ff84 3 bytes JMP 70fa000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007796ff88 2 bytes JMP 70fa000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ffb4 3 bytes JMP 70d6000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007796ffb8 2 bytes JMP 70d6000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077970014 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077970018 2 bytes [ED, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077970094 3 bytes JMP 70eb000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077970098 2 bytes JMP 70eb000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779700c4 3 bytes JMP 70d0000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779700c8 2 bytes JMP 70d0000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779703c8 3 bytes JMP 70bb000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779703cc 2 bytes JMP 70bb000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779703e0 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779703e4 2 bytes [FF, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077970560 3 bytes JMP 7103000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077970564 2 bytes JMP 7103000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779706a4 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779706a8 2 bytes [DE, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077970704 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077970708 2 bytes [F6, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779707ac 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779707b0 2 bytes [FC, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779707f4 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779707f8 2 bytes [F0, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077970884 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077970888 2 bytes [F3, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007797089c 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779708a0 2 bytes [C6, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779708b4 3 bytes JMP 70be000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779708b8 2 bytes JMP 70be000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077970e04 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077970e08 2 bytes [DB, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077970ee8 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077970eec 2 bytes [C3, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077971bf4 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077971bf8 2 bytes [D8, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077971cc4 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077971cc8 2 bytes [E7, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077971d9c 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077971da0 2 bytes [E4, 70] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007798c0f0 6 bytes JMP 71a8000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000761e3be3 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000761e3be7 2 bytes [9B, 71] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000761e9ae4 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000761f3baa 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000761fcd11 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007624dda6 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007624de49 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075bff8a7 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000075c02e0b 4 bytes CALL 71ac0000 .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077328342 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077328c0f 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000773290e3 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077329689 6 bytes JMP 714b000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000773297e2 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007732ee19 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007732efd9 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007732efdd 2 bytes [11, 71] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000773312b5 6 bytes JMP 7157000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007733292f 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SetParent 0000000077332d74 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077332d78 2 bytes [20, 71] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077332db4 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000773336a8 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000773336ac 2 bytes [1D, 71] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077333bba 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077333c71 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077336120 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007733613e 6 bytes JMP 714e000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077336c40 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077337613 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077337678 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000773376f0 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007733782f 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007733836c 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007733c4c6 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007733c4ca 2 bytes [1A, 71] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007734c122 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007734d109 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007734ebb6 6 bytes JMP 7127000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007734ec88 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007734ec8c 2 bytes [2C, 71] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SendInput 000000007734ff6a 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007734ff6e 2 bytes [2F, 71] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000077369fdb 6 bytes JMP 7115000a .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007737156b 6 bytes {JMP QWORD [RIP+0x7105001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!mouse_event 0000000077380343 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!keybd_event 0000000077380387 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000077386dc4 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000077386e25 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!BlockInput 0000000077387e9f 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000077387ea3 2 bytes [17, 71] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000773889b3 3 bytes [FF, 25, 1E] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000773889b7 2 bytes [23, 71] .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000761458b3 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076145ea5 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076147bcc 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007614b98a 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007614bd7d 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007614cf11 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007614e935 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076174aaa 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077411401 2 bytes JMP 761fb263 C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077411419 2 bytes JMP 761fb38e C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077411431 2 bytes JMP 762790f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007741144a 2 bytes CALL 761d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774114dd 2 bytes JMP 762789ea C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774114f5 2 bytes JMP 76278bc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007741150d 2 bytes JMP 762788e0 C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077411525 2 bytes JMP 76278caa C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007741153d 2 bytes JMP 761efce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077411555 2 bytes JMP 761f6937 C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007741156d 2 bytes JMP 762791a9 C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077411585 2 bytes JMP 76278d0a C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007741159d 2 bytes JMP 762788a4 C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774115b5 2 bytes JMP 761efd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774115cd 2 bytes JMP 761fb324 C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774116b2 2 bytes JMP 7627906c C:\Windows\syswow64\kernel32.dll .text C:\Users\AZE\Downloads\u12kom5p.exe[5412] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774116bd 2 bytes JMP 76278839 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.2 ----