GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-20 13:06:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEKT-75PVMT1 rev.01.01A01 298,09GB Running: lle5nhrl.exe; Driver: C:\Users\user\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777dbbe0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777dbde0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777dbbe0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777dbde0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\services.exe[572] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe042930 6 bytes JMP 0 .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077576ee0 6 bytes {JMP QWORD [RIP+0x8ec9150]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077578164 6 bytes {JMP QWORD [RIP+0x8fa7ecc]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SetParent 0000000077578500 6 bytes {JMP QWORD [RIP+0x8ee7b30]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077579bb0 6 bytes {JMP QWORD [RIP+0x8c46480]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!PostMessageA 000000007757a3d8 6 bytes {JMP QWORD [RIP+0x8c85c58]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!EnableWindow 000000007757aa84 6 bytes {JMP QWORD [RIP+0x8fe55ac]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!MoveWindow 000000007757aab0 6 bytes {JMP QWORD [RIP+0x8f05580]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007757c6dc 6 bytes {JMP QWORD [RIP+0x8ea3954]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007757cd20 6 bytes {JMP QWORD [RIP+0x8f83310]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007757d2b4 6 bytes {JMP QWORD [RIP+0x8cc2d7c]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SendMessageA 000000007757d33c 6 bytes {JMP QWORD [RIP+0x8d02cf4]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007757dc20 6 bytes {JMP QWORD [RIP+0x8de2410]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007757f4f0 6 bytes {JMP QWORD [RIP+0x8fc0b40]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007757f864 6 bytes {JMP QWORD [RIP+0x8c007cc]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007757fab0 6 bytes {JMP QWORD [RIP+0x8d60580]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077580b64 6 bytes {JMP QWORD [RIP+0x8cdf4cc]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000077583380 6 bytes {JMP QWORD [RIP+0x8c5ccb0]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077584d3d 5 bytes {JMP QWORD [RIP+0x8c1b2f4]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!GetKeyState 0000000077584ff0 6 bytes {JMP QWORD [RIP+0x8e7b040]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077585428 6 bytes {JMP QWORD [RIP+0x8d9ac08]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SendMessageW 0000000077586b60 6 bytes {JMP QWORD [RIP+0x8d194d0]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!PostMessageW 0000000077587724 6 bytes {JMP QWORD [RIP+0x8c9890c]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007758ddcc 6 bytes {JMP QWORD [RIP+0x8e12264]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!GetClipboardData 000000007758e884 6 bytes {JMP QWORD [RIP+0x8f517ac]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007758f7a0 6 bytes {JMP QWORD [RIP+0x8f10890]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000775928e4 6 bytes {JMP QWORD [RIP+0x8dad74c]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!mouse_event 00000000775938a4 6 bytes {JMP QWORD [RIP+0x8bac78c]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077598a10 6 bytes {JMP QWORD [RIP+0x8e47620]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077598bd8 6 bytes {JMP QWORD [RIP+0x8d27458]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077598c20 6 bytes {JMP QWORD [RIP+0x8bc7410]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SendInput 0000000077598cd0 6 bytes {JMP QWORD [RIP+0x8e27360]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!BlockInput 000000007759ad50 6 bytes {JMP QWORD [RIP+0x8f252e0]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000775c1574 6 bytes {JMP QWORD [RIP+0x8fbeabc]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!keybd_event 00000000775e4650 6 bytes {JMP QWORD [RIP+0x8b3b9e0]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000775ecccc 6 bytes {JMP QWORD [RIP+0x8d93364]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000775edfbc 6 bytes {JMP QWORD [RIP+0x8d12074]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x20dd50]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x22dca0]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x248abc]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1c7e4c]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x1a781c]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1e72c4]} .text C:\Windows\system32\services.exe[572] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 0 .text C:\Windows\system32\services.exe[572] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Windows\system32\services.exe[572] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes JMP 780028 .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 620075 .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 40a .text C:\Windows\system32\lsm.exe[596] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe042930 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x20dd50]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x22dca0]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1c7e4c]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x1a781c]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1e72c4]} .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 950000e2 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe042930 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x20dd50]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x22dca0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x248abc]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1c7e4c]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x1a781c]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1e72c4]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 17a5ae0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777dbcb0 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 1 byte JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 2 00000000777dc082 6 bytes {JMP 0xfffffffff8814090} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes JMP 322e31 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes JMP 61007400 .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 15c8e .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes JMP 1f40112 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes JMP 43994399 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes JMP 8c171d8 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes JMP 5f142f4 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes JMP d1cbd91 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes JMP 8faf681 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes JMP 4c80 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes JMP 8b46111 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes JMP 8fa4048 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes JMP 8768b38 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes JMP 3cbe42f0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes JMP 8fda859 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes JMP d480 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes JMP 80c0fd1 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes JMP 15f8acb6 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes JMP 290580 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes JMP 6f4fec1 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes JMP 12883 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes JMP 41e84382 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes JMP 8c34281 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes JMP c298af0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes JMP 3b3e43ab .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes JMP 3f6b4364 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes JMP 5 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes JMP 110980 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes JMP c280 .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes JMP 8a1fa39 .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes JMP 87a33a1 .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes JMP d6d880 .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes JMP 530059 .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes JMP 941fa2 .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes JMP 893fe91 .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 740070 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe042930 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x20dd50]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x22dca0]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x248abc]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1c7e4c]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes JMP 180 .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1e72c4]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x263890]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe898f30 6 bytes {JMP QWORD [RIP+0x17d7100]} .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefeab3384 6 bytes {JMP QWORD [RIP+0x156ccac]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 0 .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1240] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes JMP 0 .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Windows\system32\WLANExt.exe[1248] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 690057 .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1256] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\KERNEL32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 5D] .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes JMP 0 .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x1a1dca0]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x1a38abc]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x477e4c]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x45781c]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x19672c4]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x1a7458c]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x1a53890]} .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1300] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3c9320]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0E] .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes JMP 4d68636d .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes JMP 6e006e .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes JMP 27002f .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1400] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe042930 6 bytes JMP dbd10000 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes JMP 200077 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x248abc]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes JMP 1000af8a .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x28458c]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x263890]} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007798f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007798f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007798fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007798fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007798fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007798fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007798fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007798fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007798fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007798fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007798fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007798ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007798ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007798ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007798ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077990014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077990018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077990098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779900c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779900c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779903c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779903cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077990560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077990564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077990704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077990708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077990884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077990888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779908a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779908b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779908b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077990e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077990ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077990eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077991bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077991cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077991cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077991d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077991da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779ac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ff3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ff3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076ff9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000077003baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007700cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007705dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007705de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076ae2e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076738342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076738c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000767390e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076739689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000767397e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007673ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007673efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007673efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767412b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007674292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SetParent 0000000076742d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076742d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076742db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000767436a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000767436ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076743bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076743c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076746120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007674613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076746c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076747678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000767476f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007674782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007674c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007674c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007675c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007675d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007675ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007675ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007675ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SendInput 000000007675ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007675ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076779fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007678156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076790343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076790387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076796dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076796e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076797e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076797ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767989b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767989b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000774f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000774f5ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000774f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000774fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000774fbd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000774fcf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000774fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077524aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075339630 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007553c8a9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f79cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7700b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7700b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 770890f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 76fe48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 770889ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 77088bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 770888e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 77088caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 76fffce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 77006937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 770891a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 77088d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 770888a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 76fffd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7700b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 7708906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1624] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 77088839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes JMP 23c0b0 .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1684] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0E] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 69006e .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1716] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 0 .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007798f9f0 3 bytes JMP 71af000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007798f9f4 2 bytes JMP 71af000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007798fb38 3 bytes JMP 70c1000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007798fb3c 2 bytes JMP 70c1000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fcc0 3 bytes JMP 70e2000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007798fcc4 2 bytes JMP 70e2000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007798fd74 3 bytes JMP 70cd000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007798fd78 2 bytes JMP 70cd000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007798fdd8 3 bytes JMP 70d3000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007798fddc 2 bytes JMP 70d3000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007798fed0 3 bytes JMP 70ca000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007798fed4 2 bytes JMP 70ca000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007798ff84 3 bytes JMP 70fa000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007798ff88 2 bytes JMP 70fa000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007798ffb4 3 bytes JMP 70d6000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007798ffb8 2 bytes JMP 70d6000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077990014 3 bytes JMP 70ee000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077990018 2 bytes JMP 70ee000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990094 3 bytes JMP 70eb000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077990098 2 bytes JMP 70eb000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779900c4 3 bytes JMP 70d0000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779900c8 2 bytes JMP 70d0000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779903c8 3 bytes JMP 70bb000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779903cc 2 bytes JMP 70bb000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779903e0 3 bytes JMP 7100000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779903e4 2 bytes JMP 7100000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077990560 3 bytes JMP 7103000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077990564 2 bytes JMP 7103000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779906a4 3 bytes JMP 70df000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779906a8 2 bytes JMP 70df000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077990704 3 bytes JMP 70f7000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077990708 2 bytes JMP 70f7000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779907ac 3 bytes JMP 70fd000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779907b0 2 bytes JMP 70fd000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779907f4 3 bytes JMP 70f1000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779907f8 2 bytes JMP 70f1000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077990884 3 bytes JMP 70f4000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077990888 2 bytes JMP 70f4000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799089c 3 bytes JMP 70c7000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779908a0 2 bytes JMP 70c7000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779908b4 3 bytes JMP 70be000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779908b8 2 bytes JMP 70be000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e04 3 bytes JMP 70dc000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077990e08 2 bytes JMP 70dc000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077990ee8 3 bytes JMP 70c4000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077990eec 2 bytes JMP 70c4000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991bf4 3 bytes JMP 70d9000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077991bf8 2 bytes JMP 70d9000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077991cc4 3 bytes JMP 70e8000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077991cc8 2 bytes JMP 70e8000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077991d9c 3 bytes JMP 70e5000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077991da0 2 bytes JMP 70e5000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779ac0f0 6 bytes JMP 71a8000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ff3be3 3 bytes JMP 719c000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ff3be7 2 bytes JMP 719c000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076ff9ae4 6 bytes JMP 7187000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000077003baa 6 bytes JMP 717e000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007700cd11 6 bytes JMP 718a000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007705dda6 6 bytes JMP 7184000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007705de49 6 bytes JMP 7181000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf8a7 6 bytes JMP 719f000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076ae2e0b 4 bytes CALL 71ac0000 .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000774f58b3 6 bytes JMP 718d000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000774f5ea5 6 bytes JMP 717b000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000774f7bcc 6 bytes JMP 7196000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000774fb98a 6 bytes JMP 7190000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000774fbd7d 6 bytes JMP 7172000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000774fcf11 6 bytes JMP 7178000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000774fe935 6 bytes JMP 7193000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077524aaa 6 bytes JMP 7175000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076738342 6 bytes JMP 715d000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076738c0f 6 bytes JMP 7151000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000767390e3 6 bytes JMP 710c000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076739689 6 bytes JMP 714b000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000767397e2 6 bytes JMP 7145000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007673ee19 6 bytes JMP 7163000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007673efd9 3 bytes JMP 7112000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007673efdd 2 bytes JMP 7112000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767412b5 6 bytes JMP 7157000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007674292f 6 bytes JMP 712a000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SetParent 0000000076742d74 3 bytes JMP 7121000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076742d78 2 bytes JMP 7121000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076742db4 6 bytes JMP 7109000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000767436a8 3 bytes JMP 711e000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000767436ac 2 bytes JMP 711e000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076743bba 6 bytes JMP 715a000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076743c71 6 bytes JMP 7154000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076746120 6 bytes JMP 7160000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007674613e 6 bytes JMP 714e000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076746c40 6 bytes JMP 710f000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747613 6 bytes JMP 7166000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076747678 6 bytes JMP 7139000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000767476f0 6 bytes JMP 713f000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007674782f 6 bytes JMP 7148000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674836c 6 bytes JMP 7169000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007674c4c6 3 bytes JMP 711b000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007674c4ca 2 bytes JMP 711b000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007675c122 6 bytes JMP 7136000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007675d109 6 bytes JMP 7133000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007675ebb6 6 bytes JMP 7127000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007675ec88 3 bytes JMP 712d000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007675ec8c 2 bytes JMP 712d000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SendInput 000000007675ff6a 3 bytes JMP 7130000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007675ff6e 2 bytes JMP 7130000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076779fdb 6 bytes JMP 7115000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007678156b 6 bytes JMP 7106000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076790343 6 bytes JMP 716c000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076790387 6 bytes JMP 716f000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076796dc4 6 bytes JMP 7142000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076796e25 6 bytes JMP 713c000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076797e9f 3 bytes JMP 7118000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076797ea3 2 bytes JMP 7118000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767989b3 3 bytes JMP 7124000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767989b7 2 bytes JMP 7124000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f79cbb 6 bytes JMP 7199000a .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7700b263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7700b38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 770890f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 76fe48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 770889ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 77088bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 770888e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 77088caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 76fffce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 77006937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 770891a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 77088d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 770888a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 76fffd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7700b324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 7708906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DRIVERS\o2flash.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 77088839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007798f9f0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007798f9f4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007798fb38 3 bytes JMP 70c1000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007798fb3c 2 bytes JMP 70c1000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fcc0 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007798fcc4 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007798fd74 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007798fd78 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007798fdd8 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007798fddc 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007798fed0 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007798fed4 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007798ff84 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007798ff88 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007798ffb4 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007798ffb8 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077990014 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077990018 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990094 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077990098 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779900c4 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779900c8 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779903c8 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779903cc 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779903e0 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779903e4 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077990560 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077990564 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779906a4 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779906a8 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077990704 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077990708 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779907ac 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779907b0 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779907f4 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779907f8 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077990884 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077990888 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799089c 3 bytes JMP 70c7000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779908a0 2 bytes JMP 70c7000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779908b4 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779908b8 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e04 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077990e08 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077990ee8 3 bytes JMP 70c4000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077990eec 2 bytes JMP 70c4000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991bf4 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077991bf8 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077991cc4 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077991cc8 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077991d9c 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077991da0 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779ac0f0 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ff3be3 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ff3be7 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076ff9ae4 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000077003baa 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007700cd11 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007705dda6 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007705de49 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf8a7 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076ae2e0b 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076738342 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076738c0f 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000767390e3 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076739689 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000767397e2 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007673ee19 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007673efd9 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007673efdd 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767412b5 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007674292f 6 bytes JMP 712a000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SetParent 0000000076742d74 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076742d78 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076742db4 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000767436a8 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000767436ac 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076743bba 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076743c71 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076746120 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007674613e 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076746c40 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747613 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076747678 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000767476f0 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007674782f 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674836c 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007674c4c6 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007674c4ca 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007675c122 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007675d109 6 bytes JMP 7133000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007675ebb6 6 bytes JMP 7127000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007675ec88 3 bytes JMP 712d000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007675ec8c 2 bytes JMP 712d000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SendInput 000000007675ff6a 3 bytes JMP 7130000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007675ff6e 2 bytes JMP 7130000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076779fdb 6 bytes JMP 7115000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007678156b 6 bytes JMP 7106000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076790343 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076790387 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076796dc4 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076796e25 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076797e9f 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076797ea3 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767989b3 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767989b7 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000774f58b3 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000774f5ea5 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000774f7bcc 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000774fb98a 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000774fbd7d 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000774fcf11 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000774fe935 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077524aaa 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7700b263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7700b38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 770890f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 76fe48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 770889ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 77088bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 770888e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 77088caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 76fffce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 77006937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 770891a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 77088d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 770888a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 76fffd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7700b324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 7708906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\srvany.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 77088839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007798f9f0 3 bytes JMP 71af000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007798f9f4 2 bytes JMP 71af000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007798fb38 3 bytes JMP 70bb000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007798fb3c 2 bytes JMP 70bb000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fcc0 3 bytes JMP 70dc000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007798fcc4 2 bytes JMP 70dc000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007798fd74 3 bytes JMP 70c7000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007798fd78 2 bytes JMP 70c7000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007798fdd8 3 bytes JMP 70cd000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007798fddc 2 bytes JMP 70cd000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007798fed0 3 bytes JMP 70c4000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007798fed4 2 bytes JMP 70c4000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007798ff84 3 bytes JMP 70f4000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007798ff88 2 bytes JMP 70f4000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007798ffb4 3 bytes JMP 70d0000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007798ffb8 2 bytes JMP 70d0000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077990014 3 bytes JMP 70e8000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077990018 2 bytes JMP 70e8000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990094 3 bytes JMP 70e5000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077990098 2 bytes JMP 70e5000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779900c4 3 bytes JMP 70ca000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779900c8 2 bytes JMP 70ca000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779903c8 3 bytes JMP 70b5000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779903cc 2 bytes JMP 70b5000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779903e0 3 bytes JMP 70fa000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779903e4 2 bytes JMP 70fa000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077990560 3 bytes JMP 70fd000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077990564 2 bytes JMP 70fd000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779906a4 3 bytes JMP 70d9000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779906a8 2 bytes JMP 70d9000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077990704 3 bytes JMP 70f1000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077990708 2 bytes JMP 70f1000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779907ac 3 bytes JMP 70f7000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779907b0 2 bytes JMP 70f7000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779907f4 3 bytes JMP 70eb000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779907f8 2 bytes JMP 70eb000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077990884 3 bytes JMP 70ee000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077990888 2 bytes JMP 70ee000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799089c 3 bytes JMP 70c1000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779908a0 2 bytes JMP 70c1000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779908b4 3 bytes JMP 70b8000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779908b8 2 bytes JMP 70b8000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e04 3 bytes JMP 70d6000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077990e08 2 bytes JMP 70d6000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077990ee8 3 bytes JMP 70be000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077990eec 2 bytes JMP 70be000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991bf4 3 bytes JMP 70d3000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077991bf8 2 bytes JMP 70d3000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077991cc4 3 bytes JMP 70e2000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077991cc8 2 bytes JMP 70e2000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077991d9c 3 bytes JMP 70df000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077991da0 2 bytes JMP 70df000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779ac0f0 6 bytes JMP 71a8000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ff3be3 3 bytes JMP 719c000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ff3be7 2 bytes JMP 719c000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076ff9ae4 6 bytes JMP 7187000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000077003baa 6 bytes JMP 717e000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007700cd11 6 bytes JMP 718a000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007705dda6 6 bytes JMP 7184000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007705de49 6 bytes JMP 7181000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf8a7 6 bytes JMP 719f000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076ae2e0b 4 bytes CALL 71ac0000 .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000774f58b3 6 bytes JMP 718d000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000774f5ea5 6 bytes JMP 7175000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000774f7bcc 6 bytes JMP 7196000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000774fb98a 6 bytes JMP 7190000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000774fbd7d 6 bytes JMP 716c000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000774fcf11 6 bytes JMP 7172000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000774fe935 6 bytes JMP 7193000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077524aaa 6 bytes JMP 716f000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076738342 6 bytes JMP 7157000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076738c0f 6 bytes JMP 714b000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000767390e3 6 bytes JMP 7106000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076739689 6 bytes JMP 7145000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000767397e2 6 bytes JMP 713f000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007673ee19 6 bytes JMP 715d000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007673efd9 3 bytes JMP 710c000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007673efdd 2 bytes JMP 710c000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767412b5 6 bytes JMP 7151000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007674292f 6 bytes JMP 7124000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SetParent 0000000076742d74 3 bytes JMP 711b000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076742d78 2 bytes JMP 711b000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076742db4 6 bytes JMP 7103000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000767436a8 3 bytes JMP 7118000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000767436ac 2 bytes JMP 7118000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076743bba 6 bytes JMP 7154000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076743c71 6 bytes JMP 714e000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076746120 6 bytes JMP 715a000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007674613e 6 bytes JMP 7148000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076746c40 6 bytes JMP 7109000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747613 6 bytes JMP 7160000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076747678 6 bytes JMP 7133000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000767476f0 6 bytes JMP 7139000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007674782f 6 bytes JMP 7142000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674836c 6 bytes JMP 7163000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007674c4c6 3 bytes JMP 7115000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007674c4ca 2 bytes JMP 7115000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007675c122 6 bytes JMP 7130000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007675d109 6 bytes JMP 712d000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007675ebb6 6 bytes JMP 7121000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007675ec88 3 bytes JMP 7127000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007675ec8c 2 bytes JMP 7127000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SendInput 000000007675ff6a 3 bytes JMP 712a000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007675ff6e 2 bytes JMP 712a000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076779fdb 6 bytes JMP 710f000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007678156b 6 bytes JMP 7100000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076790343 6 bytes JMP 7166000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076790387 6 bytes JMP 7169000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076796dc4 6 bytes JMP 713c000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076796e25 6 bytes JMP 7136000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076797e9f 3 bytes JMP 7112000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076797ea3 2 bytes JMP 7112000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767989b3 3 bytes JMP 711e000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767989b7 2 bytes JMP 711e000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f79cbb 6 bytes JMP 7199000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075339630 6 bytes JMP 7178000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007553c8a9 6 bytes JMP 717b000a .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7700b263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7700b38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 770890f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 76fe48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 770889ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 77088bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 770888e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 77088caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 76fffce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 77006937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 770891a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 77088d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 770888a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 76fffd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7700b324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 7708906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\SDIOAssist.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 77088839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0E] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes JMP 740072 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1908] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes JMP 740069 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes JMP 74007300 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes JMP 6e65746e .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes JMP 63323363 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes JMP 44004400 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes JMP e8f14424 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes JMP 4c560001 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 1000100 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 460020 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\system32\Dwm.exe[2312] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes JMP feca28c0 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes JMP 37a9e5c .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes JMP 64b9 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes JMP c8 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes JMP 7daff40a .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes JMP 2d7c2e .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes JMP 650074 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes JMP fbed2420 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes JMP 330038 .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0E] .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 740073 .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe898f30 6 bytes {JMP QWORD [RIP+0x1267100]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefeab3384 6 bytes {JMP QWORD [RIP+0x102ccac]} .text C:\Windows\Explorer.EXE[2388] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 915025ff .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\system32\taskeng.exe[2448] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 0 .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x54dd50]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x56dca0]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x588abc]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x477e4c]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x45781c]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x5272c4]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x5c458c]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x5a3890]} .text C:\Program Files\McAfee Security Scan\3.11.569\SSScheduler.exe[2788] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\system32\RunDll32.exe[2824] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007798f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007798f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007798fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007798fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007798fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007798fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007798fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007798fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007798fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007798fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007798fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007798ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007798ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007798ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007798ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077990014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077990018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077990098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779900c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779900c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779903c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779903cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077990560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077990564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077990704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077990708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077990884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077990888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779908a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779908b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779908b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077990e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077990ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077990eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077991bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077991cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077991cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077991d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077991da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779ac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ff3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ff3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076ff9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000077003baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007700cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007705dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007705de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076ae2e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075339630 6 bytes JMP 7178000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007553c8a9 6 bytes JMP 717b000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000774f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000774f5ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000774f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000774fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000774fbd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000774fcf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000774fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077524aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076738342 6 bytes JMP 7157000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076738c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000767390e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076739689 6 bytes JMP 7145000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000767397e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007673ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007673efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007673efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767412b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007674292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SetParent 0000000076742d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076742d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076742db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000767436a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000767436ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076743bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076743c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076746120 6 bytes JMP 715a000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007674613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076746c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747613 6 bytes JMP 7160000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076747678 6 bytes JMP 7133000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000767476f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007674782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007674c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007674c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007675c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007675d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007675ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007675ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007675ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SendInput 000000007675ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007675ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076779fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007678156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076790343 6 bytes JMP 7166000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076790387 6 bytes JMP 7169000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076796dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076796e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076797e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076797ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767989b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767989b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7700b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7700b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 770890f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 76fe48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 770889ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 77088bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 770888e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 77088caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 76fffce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 77006937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 770891a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 77088d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 770888a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 76fffd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7700b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 7708906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\startUp.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 77088839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007798f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007798f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007798fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007798fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007798fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007798fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007798fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007798fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007798fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007798fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007798fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007798ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007798ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007798ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007798ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077990014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077990018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077990098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779900c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779900c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779903c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779903cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077990560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077990564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077990704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077990708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077990884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077990888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779908a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779908b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779908b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077990e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077990ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077990eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077991bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077991cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077991cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077991d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077991da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779ac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ff3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ff3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076ff9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000077003baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007700cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007705dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007705de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076ae2e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076738342 6 bytes JMP 7157000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076738c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000767390e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076739689 6 bytes JMP 7145000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000767397e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007673ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007673efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007673efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767412b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007674292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SetParent 0000000076742d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076742d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076742db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000767436a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000767436ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076743bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076743c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076746120 6 bytes JMP 715a000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007674613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076746c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747613 6 bytes JMP 7160000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076747678 6 bytes JMP 7133000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000767476f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007674782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007674c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007674c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007675c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007675d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007675ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007675ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007675ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SendInput 000000007675ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007675ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076779fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007678156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076790343 6 bytes JMP 7166000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076790387 6 bytes JMP 7169000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076796dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076796e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076797e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076797ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767989b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767989b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000774f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000774f5ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000774f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000774fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000774fbd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000774fcf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000774fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077524aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075339630 6 bytes JMP 7178000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007553c8a9 6 bytes JMP 717b000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7700b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7700b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 770890f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 76fe48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 770889ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 77088bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 770888e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 77088caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 76fffce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 77006937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 770891a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 77088d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 770888a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 76fffd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7700b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 7708906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 77088839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007798f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007798f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007798fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007798fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007798fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007798fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007798fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007798fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007798fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007798fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007798fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007798ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007798ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007798ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007798ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077990014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077990018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077990098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779900c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779900c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779903c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779903cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077990560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077990564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077990704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077990708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077990884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077990888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779908a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779908b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779908b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077990e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077990ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077990eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077991bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077991cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077991cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077991d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077991da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779ac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ff3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ff3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076ff9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000077003baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007700cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007705dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007705de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076ae2e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075339630 6 bytes JMP 7178000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007553c8a9 6 bytes JMP 717b000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000774f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000774f5ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000774f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000774fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000774fbd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000774fcf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000774fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077524aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076738342 6 bytes JMP 7157000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076738c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000767390e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076739689 6 bytes JMP 7145000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000767397e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007673ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007673efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007673efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767412b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007674292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SetParent 0000000076742d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076742d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076742db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000767436a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000767436ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076743bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076743c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076746120 6 bytes JMP 715a000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007674613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076746c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747613 6 bytes JMP 7160000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076747678 6 bytes JMP 7133000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000767476f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007674782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007674c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007674c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007675c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007675d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007675ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007675ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007675ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SendInput 000000007675ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007675ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076779fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007678156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076790343 6 bytes JMP 7166000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076790387 6 bytes JMP 7169000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076796dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076796e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076797e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076797ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767989b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767989b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7700b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7700b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 770890f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 76fe48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 770889ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 77088bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 770888e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 77088caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 76fffce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 77006937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 770891a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 77088d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 770888a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 76fffd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7700b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 7708906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 77088839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes JMP 81 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 1 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007798f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007798f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007798fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007798fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007798fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007798fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007798fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007798fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007798fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007798fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007798fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007798ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007798ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007798ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007798ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077990014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077990018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077990098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779900c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779900c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779903c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779903cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077990560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077990564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077990704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077990708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077990884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077990888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779908a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779908b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779908b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077990e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077990ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077990eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077991bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077991cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077991cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077991d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077991da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779ac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ff3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ff3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076ff9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000077003baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007700cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007705dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007705de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076ae2e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076738342 6 bytes JMP 7157000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076738c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000767390e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076739689 6 bytes JMP 7145000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000767397e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007673ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007673efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007673efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767412b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007674292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SetParent 0000000076742d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076742d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076742db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000767436a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000767436ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076743bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076743c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076746120 6 bytes JMP 715a000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007674613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076746c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747613 6 bytes JMP 7160000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076747678 6 bytes JMP 7133000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000767476f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007674782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007674c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007674c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007675c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007675d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007675ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007675ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007675ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SendInput 000000007675ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007675ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076779fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007678156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076790343 6 bytes JMP 7166000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076790387 6 bytes JMP 7169000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076796dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076796e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076797e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076797ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767989b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767989b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000774f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000774f5ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000774f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000774fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000774fbd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000774fcf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000774fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077524aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075339630 6 bytes JMP 7178000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007553c8a9 6 bytes JMP 717b000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f79cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7700b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7700b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 770890f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 76fe48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 770889ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 77088bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 770888e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 77088caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 76fffce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 77006937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 770891a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 77088d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 770888a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 76fffd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7700b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 7708906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenShot\SSSvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 77088839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2740] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007798f9f0 3 bytes JMP 71af000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007798f9f4 2 bytes JMP 71af000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007798fb38 3 bytes JMP 70c1000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007798fb3c 2 bytes JMP 70c1000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fcc0 3 bytes JMP 70e2000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007798fcc4 2 bytes JMP 70e2000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007798fd74 3 bytes JMP 70cd000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007798fd78 2 bytes JMP 70cd000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007798fdd8 3 bytes JMP 70d3000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007798fddc 2 bytes JMP 70d3000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007798fed0 3 bytes JMP 70ca000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007798fed4 2 bytes JMP 70ca000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007798ff84 3 bytes JMP 70fa000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007798ff88 2 bytes JMP 70fa000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007798ffb4 3 bytes JMP 70d6000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007798ffb8 2 bytes JMP 70d6000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077990014 3 bytes JMP 70ee000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077990018 2 bytes JMP 70ee000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990094 3 bytes JMP 70eb000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077990098 2 bytes JMP 70eb000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779900c4 3 bytes JMP 70d0000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779900c8 2 bytes JMP 70d0000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779903c8 3 bytes JMP 70bb000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779903cc 2 bytes JMP 70bb000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779903e0 3 bytes JMP 7100000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779903e4 2 bytes JMP 7100000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077990560 3 bytes JMP 7103000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077990564 2 bytes JMP 7103000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779906a4 3 bytes JMP 70df000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779906a8 2 bytes JMP 70df000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077990704 3 bytes JMP 70f7000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077990708 2 bytes JMP 70f7000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779907ac 3 bytes JMP 70fd000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779907b0 2 bytes JMP 70fd000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779907f4 3 bytes JMP 70f1000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779907f8 2 bytes JMP 70f1000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077990884 3 bytes JMP 70f4000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077990888 2 bytes JMP 70f4000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799089c 3 bytes JMP 70c7000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779908a0 2 bytes JMP 70c7000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779908b4 3 bytes JMP 70be000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779908b8 2 bytes JMP 70be000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e04 3 bytes JMP 70dc000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077990e08 2 bytes JMP 70dc000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077990ee8 3 bytes JMP 70c4000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077990eec 2 bytes JMP 70c4000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991bf4 3 bytes JMP 70d9000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077991bf8 2 bytes JMP 70d9000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077991cc4 3 bytes JMP 70e8000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077991cc8 2 bytes JMP 70e8000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077991d9c 3 bytes JMP 70e5000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077991da0 2 bytes JMP 70e5000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779ac0f0 6 bytes JMP 71a8000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ff3be3 3 bytes JMP 719c000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ff3be7 2 bytes JMP 719c000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076ff9ae4 6 bytes JMP 7187000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000077003baa 6 bytes JMP 717e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007700cd11 6 bytes JMP 718a000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007705dda6 6 bytes JMP 7184000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007705de49 6 bytes JMP 7181000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf8a7 6 bytes JMP 719f000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076ae2e0b 4 bytes CALL 71ac0000 .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076738342 6 bytes JMP 715d000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076738c0f 6 bytes JMP 7151000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000767390e3 6 bytes JMP 710c000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076739689 6 bytes JMP 714b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000767397e2 6 bytes JMP 7145000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007673ee19 6 bytes JMP 7163000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007673efd9 3 bytes JMP 7112000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007673efdd 2 bytes JMP 7112000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767412b5 6 bytes JMP 7157000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007674292f 6 bytes JMP 712a000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SetParent 0000000076742d74 3 bytes JMP 7121000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076742d78 2 bytes JMP 7121000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076742db4 6 bytes JMP 7109000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000767436a8 3 bytes JMP 711e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000767436ac 2 bytes JMP 711e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076743bba 6 bytes JMP 715a000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076743c71 6 bytes JMP 7154000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076746120 6 bytes JMP 7160000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007674613e 6 bytes JMP 714e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076746c40 6 bytes JMP 710f000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747613 6 bytes JMP 7166000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076747678 6 bytes JMP 7139000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000767476f0 6 bytes JMP 713f000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007674782f 6 bytes JMP 7148000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674836c 6 bytes JMP 7169000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007674c4c6 3 bytes JMP 711b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007674c4ca 2 bytes JMP 711b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007675c122 6 bytes JMP 7136000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007675d109 6 bytes JMP 7133000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007675ebb6 6 bytes JMP 7127000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007675ec88 3 bytes JMP 712d000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007675ec8c 2 bytes JMP 712d000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SendInput 000000007675ff6a 3 bytes JMP 7130000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007675ff6e 2 bytes JMP 7130000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076779fdb 6 bytes JMP 7115000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007678156b 6 bytes JMP 7106000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076790343 6 bytes JMP 716c000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076790387 6 bytes JMP 716f000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076796dc4 6 bytes JMP 7142000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076796e25 6 bytes JMP 713c000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076797e9f 3 bytes JMP 7118000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076797ea3 2 bytes JMP 7118000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767989b3 3 bytes JMP 7124000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767989b7 2 bytes JMP 7124000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000774f58b3 6 bytes JMP 718d000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000774f5ea5 6 bytes JMP 717b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000774f7bcc 6 bytes JMP 7196000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000774fb98a 6 bytes JMP 7190000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000774fbd7d 6 bytes JMP 7172000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000774fcf11 6 bytes JMP 7178000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000774fe935 6 bytes JMP 7193000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077524aaa 6 bytes JMP 7175000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7700b263 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7700b38e C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 770890f1 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 76fe48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 770889ea C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 77088bc0 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 770888e0 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 77088caa C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 76fffce8 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 77006937 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 770891a9 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 77088d0a C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 770888a4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 76fffd81 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7700b324 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 7708906c C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 77088839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 0 .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\wbem\unsecapp.exe[3120] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[3272] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 1000100 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x54dd50]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x56dca0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x588abc]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes JMP 0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes JMP 0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x5c458c]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x5a3890]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3324] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3c9320]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes JMP 1eddd0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0E] .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes JMP 0 .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 0 .text C:\Windows\System32\WUDFHost.exe[2760] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007798f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007798f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007798fb38 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007798fb3c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fcc0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007798fcc4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007798fd74 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007798fd78 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007798fdd8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007798fddc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007798fed0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007798fed4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007798ff84 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007798ff88 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007798ffb4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007798ffb8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077990014 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077990018 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990094 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077990098 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779900c4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779900c8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779903c8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779903cc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779903e0 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779903e4 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077990560 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077990564 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779906a4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779906a8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077990704 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077990708 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779907ac 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779907b0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779907f4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779907f8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077990884 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077990888 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799089c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779908a0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779908b4 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779908b8 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e04 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077990e08 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077990ee8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077990eec 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991bf4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077991bf8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077991cc4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077991cc8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077991d9c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077991da0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779ac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ff3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ff3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076ff9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000077003baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007700cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007705dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007705de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076ae2e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000774f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000774f5ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000774f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000774fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000774fbd7d 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000774fcf11 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000774fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077524aaa 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076738342 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076738c0f 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000767390e3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076739689 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000767397e2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007673ee19 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007673efd9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007673efdd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767412b5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007674292f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SetParent 0000000076742d74 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076742d78 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076742db4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000767436a8 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000767436ac 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076743bba 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076743c71 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076746120 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007674613e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076746c40 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747613 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076747678 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000767476f0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007674782f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674836c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007674c4c6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007674c4ca 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007675c122 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007675d109 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007675ebb6 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007675ec88 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007675ec8c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SendInput 000000007675ff6a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007675ff6e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076779fdb 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007678156b 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076790343 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076790387 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076796dc4 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076796e25 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076797e9f 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076797ea3 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767989b3 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767989b7 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f79cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7700b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7700b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 770890f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 76fe48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 770889ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 77088bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 770888e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 77088caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 76fffce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 77006937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 770891a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 77088d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 770888a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 76fffd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7700b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 7708906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 77088839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007798f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007798f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007798fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007798fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007798fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007798fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007798fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007798fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007798fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007798fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007798fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007798ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007798ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007798ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007798ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077990014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077990018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077990098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779900c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779900c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779903c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779903cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077990560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077990564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077990704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077990708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077990884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077990888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779908a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779908b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779908b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077990e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077990ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077990eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077991bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077991cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077991cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077991d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077991da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779ac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ff3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ff3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076ff9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000077003baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007700cd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007705dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007705de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076ae2e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076738342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076738c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000767390e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076739689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000767397e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007673ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007673efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007673efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767412b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007674292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SetParent 0000000076742d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076742d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076742db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000767436a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000767436ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076743bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076743c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076746120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007674613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076746c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076747678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000767476f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007674782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007674c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007674c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007675c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007675d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007675ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007675ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007675ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SendInput 000000007675ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007675ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076779fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007678156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076790343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076790387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076796dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076796e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076797e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076797ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767989b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767989b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000774f58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000774f5ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000774f7bcc 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000774fb98a 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000774fbd7d 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000774fcf11 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000774fe935 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077524aaa 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f79cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075339630 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007553c8a9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7700b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7700b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 770890f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 76fe48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 770889ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 77088bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 770888e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 77088caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 76fffce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 77006937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 770891a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 77088d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 770888a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 76fffd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7700b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 7708906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 77088839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Program Files\McAfee Security Scan\3.11.569\McUicnt.exe[1780] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x8c6dec0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000777dbbf0 6 bytes {JMP QWORD [RIP+0x8944440]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8c24410]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9844340]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000777dbd50 6 bytes {JMP QWORD [RIP+0x89242e0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000777dbd60 6 bytes {JMP QWORD [RIP+0x8b842d0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x9734240]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x8b641d0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8b04190]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000777dbec0 6 bytes {JMP QWORD [RIP+0x8ba4170]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777dbf30 6 bytes {JMP QWORD [RIP+0x89c4100]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x97e40f0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x89a4080]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8ae4060]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x96b4020]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x96d3fd0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8b43fb0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x88e3dc0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x88c3db0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8903cb0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8aa3be0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x89e3ba0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8963b30]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000777dc510 6 bytes {JMP QWORD [RIP+0x8b23b20]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8a63b00]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8a23aa0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9803a90]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x9863a80]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000777dc610 6 bytes {JMP QWORD [RIP+0x8ac3a20]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x9763710]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9823680]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777dca10 6 bytes {JMP QWORD [RIP+0x8be3620]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777dca20 6 bytes {JMP QWORD [RIP+0x8bc3610]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777dca50 6 bytes {JMP QWORD [RIP+0x8a035e0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777dcac0 6 bytes {JMP QWORD [RIP+0x8983570]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777dcb10 6 bytes {JMP QWORD [RIP+0x8a43520]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000777dd020 6 bytes {JMP QWORD [RIP+0x8a83010]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x9782e10]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000777dd240 6 bytes {JMP QWORD [RIP+0x8c02df0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x96f2d90]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x9712d10]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000776762c0 6 bytes {JMP QWORD [RIP+0x89a9d70]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x91fe7d0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 00000000776839f0 6 bytes {JMP QWORD [RIP+0x89fc640]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x9152440]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000776f1920 6 bytes {JMP QWORD [RIP+0x894e710]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x9120960]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x9160930]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x9100760]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x913a910]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0C] .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd5d9ac1 5 bytes {JMP QWORD [RIP+0xa6570]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007feff8f687c 6 bytes {JMP QWORD [RIP+0x3d97b4]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007feff8f8e30 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007feff8f995c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007feff8f99e4 6 bytes {JMP QWORD [RIP+0x33664c]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007feff8f9ac8 6 bytes {JMP QWORD [RIP+0x316568]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007feff8fa51c 6 bytes {JMP QWORD [RIP+0x3b5b14]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007feff8fa530 6 bytes {JMP QWORD [RIP+0x395b00]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007feff8fa5b0 5 bytes [FF, 25, 80, 5A, 35] .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007feff8fa5c4 6 bytes {JMP QWORD [RIP+0x375a6c]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007feff8fbb28 6 bytes {JMP QWORD [RIP+0x3f4508]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007feff8fbb3c 3 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4884] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007feff8fbb40 2 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe042930 6 bytes {JMP QWORD [RIP+0x27d700]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x20dd50]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x22dca0]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x248abc]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1c7e4c]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x1a781c]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1e72c4]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x28458c]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x263890]} .text C:\Windows\system32\svchost.exe[4884] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x919320]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x8c6dec0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000777dbbf0 6 bytes {JMP QWORD [RIP+0x8944440]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8c24410]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9844340]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000777dbd50 6 bytes {JMP QWORD [RIP+0x89242e0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000777dbd60 6 bytes {JMP QWORD [RIP+0x8b842d0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x9734240]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x8b641d0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8b04190]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000777dbec0 6 bytes {JMP QWORD [RIP+0x8ba4170]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777dbf30 6 bytes {JMP QWORD [RIP+0x89c4100]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x97e40f0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x89a4080]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8ae4060]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x96b4020]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x96d3fd0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8b43fb0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x88e3dc0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x88c3db0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8903cb0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8aa3be0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x89e3ba0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8963b30]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000777dc510 6 bytes {JMP QWORD [RIP+0x8b23b20]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8a63b00]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8a23aa0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9803a90]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x9863a80]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000777dc610 6 bytes {JMP QWORD [RIP+0x8ac3a20]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x9763710]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9823680]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777dca10 6 bytes {JMP QWORD [RIP+0x8be3620]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777dca20 6 bytes {JMP QWORD [RIP+0x8bc3610]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777dca50 6 bytes {JMP QWORD [RIP+0x8a035e0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777dcac0 6 bytes {JMP QWORD [RIP+0x8983570]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777dcb10 6 bytes {JMP QWORD [RIP+0x8a43520]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000777dd020 6 bytes {JMP QWORD [RIP+0x8a83010]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x9782e10]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000777dd240 6 bytes {JMP QWORD [RIP+0x8c02df0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x96f2d90]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x9712d10]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000776762c0 6 bytes {JMP QWORD [RIP+0x89a9d70]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x91fe7d0]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 00000000776839f0 6 bytes {JMP QWORD [RIP+0x89fc640]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x9152440]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000776f1920 6 bytes {JMP QWORD [RIP+0x894e710]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x9120960]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x9160930]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x9100760]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x913a910]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0C] .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd5d9ac1 5 bytes {JMP QWORD [RIP+0xa6570]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007feff8f687c 6 bytes {JMP QWORD [RIP+0x3d97b4]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007feff8f8e30 6 bytes {JMP QWORD [RIP+0x457200]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007feff8f995c 6 bytes {JMP QWORD [RIP+0x4366d4]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007feff8f99e4 6 bytes {JMP QWORD [RIP+0x33664c]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007feff8f9ac8 6 bytes {JMP QWORD [RIP+0x316568]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007feff8fa51c 6 bytes {JMP QWORD [RIP+0x3b5b14]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007feff8fa530 6 bytes {JMP QWORD [RIP+0x395b00]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007feff8fa5b0 5 bytes [FF, 25, 80, 5A, 35] .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007feff8fa5c4 6 bytes {JMP QWORD [RIP+0x375a6c]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007feff8fbb28 6 bytes {JMP QWORD [RIP+0x3f4508]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007feff8fbb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007feff8fbb40 2 bytes [41, 00] .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x248abc]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x1a781c]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x28458c]} .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes JMP 700065 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x919320]} .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtReplyPort 000000007798f9a4 3 bytes JMP 715d000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtReplyPort + 4 000000007798f9a8 2 bytes JMP 715d000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007798f9f0 3 bytes JMP 7118000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007798f9f4 2 bytes JMP 7118000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007798fb38 3 bytes JMP 6fd6000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007798fb3c 2 bytes JMP 6fd6000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtRequestWaitReplyPort 000000007798fbd0 3 bytes JMP 7160000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtRequestWaitReplyPort + 4 000000007798fbd4 2 bytes JMP 7160000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtQueryVirtualMemory 000000007798fbe8 3 bytes JMP 7127000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtQueryVirtualMemory + 4 000000007798fbec 2 bytes JMP 7127000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fcc0 3 bytes JMP 6fed000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007798fcc4 2 bytes JMP 6fed000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007798fd74 3 bytes JMP 712a000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007798fd78 2 bytes JMP 712a000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007798fdd8 3 bytes JMP 7133000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007798fddc 2 bytes JMP 7133000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtFsControlFile 000000007798fe08 3 bytes JMP 7124000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtFsControlFile + 4 000000007798fe0c 2 bytes JMP 7124000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007798feb8 3 bytes JMP 7151000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent + 4 000000007798febc 2 bytes JMP 7151000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007798fed0 3 bytes JMP 6fdf000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007798fed4 2 bytes JMP 6fdf000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007798ff84 3 bytes JMP 7154000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007798ff88 2 bytes JMP 7154000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007798ffb4 3 bytes JMP 7136000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007798ffb8 2 bytes JMP 7136000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077990014 3 bytes JMP 6ff9000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077990018 2 bytes JMP 6ff9000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990094 3 bytes JMP 6ff6000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077990098 2 bytes JMP 6ff6000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779900c4 3 bytes JMP 712d000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779900c8 2 bytes JMP 712d000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779903c8 3 bytes JMP 7166000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779903cc 2 bytes JMP 7166000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779903e0 3 bytes JMP 7169000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779903e4 2 bytes JMP 7169000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077990560 3 bytes JMP 7163000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077990564 2 bytes JMP 7163000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779906a4 3 bytes JMP 713c000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779906a8 2 bytes JMP 713c000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077990704 3 bytes JMP 714e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077990708 2 bytes JMP 714e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779907ac 3 bytes JMP 715a000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779907b0 2 bytes JMP 715a000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateNamedPipeFile 00000000779907c4 3 bytes JMP 7130000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateNamedPipeFile + 4 00000000779907c8 2 bytes JMP 7130000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779907f4 3 bytes JMP 7142000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779907f8 2 bytes JMP 7142000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077990884 3 bytes JMP 7148000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077990888 2 bytes JMP 7148000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799089c 3 bytes JMP 6fdc000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779908a0 2 bytes JMP 6fdc000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779908b4 3 bytes JMP 6fd3000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779908b8 2 bytes JMP 6fd3000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateWaitablePort 0000000077990944 3 bytes JMP 7139000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateWaitablePort + 4 0000000077990948 2 bytes JMP 7139000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e04 3 bytes JMP 6fe9000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077990e08 2 bytes JMP 6fe9000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077990ee8 3 bytes JMP 6fd9000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077990eec 2 bytes JMP 6fd9000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077990f80 3 bytes JMP 711e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey + 4 0000000077990f84 2 bytes JMP 711e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077990f98 3 bytes JMP 7121000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys + 4 0000000077990f9c 2 bytes JMP 7121000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenEventPair 0000000077990fe0 3 bytes JMP 714b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenEventPair + 4 0000000077990fe4 2 bytes JMP 714b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077991088 3 bytes JMP 7157000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 4 000000007799108c 2 bytes JMP 7157000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077991100 3 bytes JMP 7145000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore + 4 0000000077991104 2 bytes JMP 7145000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort 00000000779918d0 3 bytes JMP 713f000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 4 00000000779918d4 2 bytes JMP 713f000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991bf4 3 bytes JMP 6fe6000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077991bf8 2 bytes JMP 6fe6000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime 0000000077991c24 3 bytes JMP 711b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 4 0000000077991c28 2 bytes JMP 711b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077991cc4 3 bytes JMP 6ff3000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077991cc8 2 bytes JMP 6ff3000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077991d9c 3 bytes JMP 6ff0000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077991da0 2 bytes JMP 6ff0000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779ac0f0 6 bytes JMP 7115000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\kernel32.dll!RegOpenKeyExW 0000000076fe22d1 6 bytes JMP 718d000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\kernel32.dll!GetPrivateProfileStringW 0000000076feea38 6 bytes JMP 71ab000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\kernel32.dll!GetPrivateProfileStringA 0000000076ff183c 6 bytes JMP 71a8000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ff3be3 3 bytes JMP 70ae000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ff3be7 2 bytes JMP 70ae000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076ff9ae4 6 bytes JMP 7099000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000077003baa 6 bytes JMP 7090000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007700cd11 6 bytes JMP 709c000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007705dda6 6 bytes JMP 7096000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007705de49 6 bytes JMP 7093000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf8a7 6 bytes JMP 70b1000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ae2bdc 6 bytes JMP 70b7000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076ae2e0b 4 bytes CALL 71af0000 .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!GetClassNameW 00000000767382b9 6 bytes JMP 70ee000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076738342 6 bytes JMP 705a000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076738a39 6 bytes JMP 70e8000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!RegisterClassW 0000000076738a75 6 bytes JMP 710c000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076738c0f 6 bytes JMP 704e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000767390e3 6 bytes JMP 7009000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076739689 6 bytes JMP 7048000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000767397e2 6 bytes JMP 7042000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!FindWindowW 000000007673990d 6 bytes JMP 70ca000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!UnregisterClassW 0000000076739f94 6 bytes JMP 7100000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!RegisterClassExW 000000007673b18d 6 bytes JMP 7106000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!GetClassInfoExW 000000007673b248 6 bytes JMP 70fa000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!GetClassInfoW 000000007673b432 6 bytes JMP 70f4000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!EnumWindows 000000007673d1df 6 bytes JMP 70c4000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007673d23e 6 bytes JMP 70e5000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!RegisterClassExA 000000007673dba8 6 bytes JMP 7103000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!UnregisterClassA 000000007673dcfd 6 bytes JMP 70fd000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007673ee19 6 bytes JMP 7060000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007673efd9 3 bytes JMP 700f000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007673efdd 2 bytes JMP 700f000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007673fff6 6 bytes JMP 70c7000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000767400e9 6 bytes JMP 70cd000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!EnumChildWindows 0000000076740ea4 6 bytes JMP 70be000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767412b5 6 bytes JMP 7054000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007674292f 6 bytes JMP 7027000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SetParent 0000000076742d74 3 bytes JMP 701e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076742d78 2 bytes JMP 701e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076742db4 6 bytes JMP 7006000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000767436a8 3 bytes JMP 701b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000767436ac 2 bytes JMP 701b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!EnumThreadWindows 0000000076743971 6 bytes JMP 70c1000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076743bba 6 bytes JMP 7057000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076743c71 6 bytes JMP 7051000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!RegisterClassA 000000007674435b 6 bytes JMP 7109000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!EnumDesktopWindows 0000000076745f63 6 bytes JMP 70bb000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076746120 6 bytes JMP 705d000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007674613e 6 bytes JMP 704b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!GetClassInfoExA 000000007674696f 6 bytes JMP 70f7000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!GetClassInfoA 0000000076746aee 6 bytes JMP 70f1000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076746c40 6 bytes JMP 700c000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747613 6 bytes JMP 7063000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076747678 6 bytes JMP 7036000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000767476f0 6 bytes JMP 703c000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007674782f 6 bytes JMP 7045000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!GetClassNameA 00000000767479ef 6 bytes JMP 70eb000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674836c 6 bytes JMP 7066000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 000000007674b039 6 bytes JMP 7073000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007674c4c6 3 bytes JMP 7018000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007674c4ca 2 bytes JMP 7018000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 000000007674c64e 6 bytes JMP 7076000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 0000000076755256 6 bytes JMP 70dc000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007675c122 6 bytes JMP 7033000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007675cc03 6 bytes JMP 706e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007675ce64 6 bytes JMP 70d3000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007675cfde 6 bytes JMP 70d9000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007675d109 6 bytes JMP 7030000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!GetShellWindow 000000007675e8c8 3 bytes JMP 71a5000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!GetShellWindow + 4 000000007675e8cc 2 bytes JMP 71a5000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007675ebb6 6 bytes JMP 7024000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007675ec88 3 bytes JMP 702a000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007675ec8c 2 bytes JMP 702a000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SetLayeredWindowAttributes 000000007675eca8 3 bytes JMP 707b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SetLayeredWindowAttributes + 4 000000007675ecac 2 bytes JMP 707b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007675f5a8 6 bytes JMP 70d0000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SendInput 000000007675ff6a 3 bytes JMP 702d000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007675ff6e 2 bytes JMP 702d000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000767610c0 6 bytes JMP 70e2000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000767610fc 6 bytes JMP 70df000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076779fdb 6 bytes JMP 7012000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007677cbe0 6 bytes JMP 70d6000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007677cf38 6 bytes JMP 706b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007678156b 6 bytes JMP 7003000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076790343 6 bytes JMP 707e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076790387 6 bytes JMP 7081000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076796dc4 6 bytes JMP 703f000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076796e25 6 bytes JMP 7039000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076797e9f 3 bytes JMP 7015000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076797ea3 2 bytes JMP 7015000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767989b3 3 bytes JMP 7021000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767989b7 2 bytes JMP 7021000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000774f58b3 6 bytes JMP 709f000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000774f5ea5 6 bytes JMP 708d000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000774f7bcc 6 bytes JMP 70a8000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000774fb98a 6 bytes JMP 70a2000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000774fbd7d 6 bytes JMP 7084000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000774fcf11 6 bytes JMP 708a000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000774fe935 6 bytes JMP 70a5000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077524aaa 6 bytes JMP 7087000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\ADVAPI32.dll!StartServiceCtrlDispatcherW 0000000076b2a8e5 6 bytes JMP 71a2000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\ADVAPI32.dll!RegisterServiceCtrlHandlerW 0000000076b2a8fd 6 bytes JMP 7193000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\ADVAPI32.dll!RegisterServiceCtrlHandlerExW 0000000076b2a92d 6 bytes JMP 719c000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\ADVAPI32.dll!SetServiceStatus 0000000076b2c726 6 bytes JMP 7190000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\ADVAPI32.dll!RegisterServiceCtrlHandlerA 0000000076b6377f 6 bytes JMP 7196000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\ADVAPI32.dll!RegisterServiceCtrlHandlerExA 0000000076b6378f 6 bytes JMP 7199000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\ADVAPI32.dll!StartServiceCtrlDispatcherA 0000000076b6380f 6 bytes JMP 719f000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\sechost.dll!SetServiceStatus 00000000771f4f9c 6 bytes JMP 7178000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\sechost.dll!I_ScValidatePnPService 00000000771f6b9d 6 bytes JMP 716c000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\sechost.dll!I_ScPnPGetServiceName 00000000771f7c40 6 bytes JMP 716f000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\sechost.dll!RegisterServiceCtrlHandlerW 00000000771f7d47 6 bytes JMP 717b000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\sechost.dll!RegisterServiceCtrlHandlerA 00000000771f7d64 6 bytes JMP 717e000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\sechost.dll!RegisterServiceCtrlHandlerExW 00000000771f7da8 6 bytes JMP 7184000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\sechost.dll!RegisterServiceCtrlHandlerExA 00000000771f7dc6 6 bytes JMP 7181000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\sechost.dll!StartServiceCtrlDispatcherA 00000000771f84eb 6 bytes JMP 7187000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\sechost.dll!StartServiceCtrlDispatcherW 00000000771f85b2 6 bytes JMP 718a000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\sechost.dll!NotifyServiceStatusChange 00000000771fa0ff 6 bytes JMP 7175000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\SysWOW64\sechost.dll!NotifyServiceStatusChangeA 00000000771fa11d 6 bytes JMP 7172000a .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7700b263 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7700b38e C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 770890f1 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 76fe48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 770889ea C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 77088bc0 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 770888e0 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 77088caa C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 76fffce8 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 77006937 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 770891a9 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 77088d0a C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 770888a4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 76fffd81 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7700b324 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 7708906c C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\VIDEOD~1\bar\2.bin\4zbarsvc.exe[5012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 77088839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes JMP 790079 .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\system32\taskeng.exe[4720] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes {JMP QWORD [RIP+0x3b9320]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes {JMP QWORD [RIP+0x1edd50]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes {JMP QWORD [RIP+0x1c72c4]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\system32\AUDIODG.EXE[4564] C:\Windows\System32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP ffffffff .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000777b2170 6 bytes {JMP QWORD [RIP+0x888dec0]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777dbc20 6 bytes {JMP QWORD [RIP+0x8844410]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000777dbcf0 6 bytes {JMP QWORD [RIP+0x9084340]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777dbdf0 6 bytes {JMP QWORD [RIP+0x8f24240]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777dbe60 6 bytes {JMP QWORD [RIP+0x90041d0]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777dbea0 6 bytes {JMP QWORD [RIP+0x8fc4190]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777dbf40 6 bytes {JMP QWORD [RIP+0x90240f0]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777dbfb0 6 bytes {JMP QWORD [RIP+0x8e24080]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777dbfd0 6 bytes {JMP QWORD [RIP+0x8fa4060]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777dc010 6 bytes {JMP QWORD [RIP+0x8ea4020]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777dc060 6 bytes {JMP QWORD [RIP+0x8ec3fd0]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000777dc080 6 bytes {JMP QWORD [RIP+0x8fe3fb0]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777dc270 6 bytes {JMP QWORD [RIP+0x90c3dc0]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000777dc280 6 bytes {JMP QWORD [RIP+0x8de3db0]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777dc380 6 bytes {JMP QWORD [RIP+0x8dc3cb0]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000777dc450 6 bytes {JMP QWORD [RIP+0x8f43be0]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777dc490 6 bytes {JMP QWORD [RIP+0x8e43ba0]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777dc500 6 bytes {JMP QWORD [RIP+0x8e03b30]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000777dc530 6 bytes {JMP QWORD [RIP+0x8e83b00]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777dc590 6 bytes {JMP QWORD [RIP+0x8e63aa0]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000777dc5a0 6 bytes {JMP QWORD [RIP+0x9043a90]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777dc5b0 6 bytes {JMP QWORD [RIP+0x90a3a80]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777dc920 6 bytes {JMP QWORD [RIP+0x8f63710]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000777dc9b0 6 bytes {JMP QWORD [RIP+0x9063680]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777dd220 6 bytes {JMP QWORD [RIP+0x8f82e10]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777dd2a0 6 bytes {JMP QWORD [RIP+0x8ee2d90]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777dd320 6 bytes {JMP QWORD [RIP+0x8f02d10]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077681860 6 bytes {JMP QWORD [RIP+0x8a7e7d0]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007768dbf0 6 bytes {JMP QWORD [RIP+0x89d2440]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000776ff6d0 6 bytes {JMP QWORD [RIP+0x89a0960]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 00000000776ff700 6 bytes {JMP QWORD [RIP+0x89e0930]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000776ff8d0 6 bytes {JMP QWORD [RIP+0x8980760]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077705720 6 bytes {JMP QWORD [RIP+0x89ba910]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5d3a50 5 bytes [FF, 25, E0, C5, 0E] .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe1322e0 6 bytes JMP 0 .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe132390 6 bytes {JMP QWORD [RIP+0x20dca0]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe137574 6 bytes {JMP QWORD [RIP+0x228abc]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe1381e4 6 bytes {JMP QWORD [RIP+0x1a7e4c]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe138814 6 bytes {JMP QWORD [RIP+0x18781c]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe138d6c 6 bytes JMP 0 .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe13baa4 6 bytes {JMP QWORD [RIP+0x26458c]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe13c7a0 6 bytes {JMP QWORD [RIP+0x243890]} .text C:\Windows\System32\WUDFHost.exe[4876] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff706d10 6 bytes JMP 0 .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007798f9f0 3 bytes JMP 71af000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007798f9f4 2 bytes JMP 71af000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007798fb38 3 bytes JMP 70c1000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007798fb3c 2 bytes JMP 70c1000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fcc0 3 bytes JMP 70e2000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007798fcc4 2 bytes JMP 70e2000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007798fd74 3 bytes JMP 70cd000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007798fd78 2 bytes JMP 70cd000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007798fdd8 3 bytes JMP 70d3000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007798fddc 2 bytes JMP 70d3000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007798fed0 3 bytes JMP 70ca000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007798fed4 2 bytes JMP 70ca000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007798ff84 3 bytes JMP 70fa000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007798ff88 2 bytes JMP 70fa000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007798ffb4 3 bytes JMP 70d6000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007798ffb8 2 bytes JMP 70d6000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077990014 3 bytes JMP 70ee000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077990018 2 bytes JMP 70ee000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990094 3 bytes JMP 70eb000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077990098 2 bytes JMP 70eb000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779900c4 3 bytes JMP 70d0000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779900c8 2 bytes JMP 70d0000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779903c8 3 bytes JMP 70bb000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779903cc 2 bytes JMP 70bb000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000779903e0 3 bytes JMP 7100000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000779903e4 2 bytes JMP 7100000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077990560 3 bytes JMP 7103000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077990564 2 bytes JMP 7103000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779906a4 3 bytes JMP 70df000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779906a8 2 bytes JMP 70df000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077990704 3 bytes JMP 70f7000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077990708 2 bytes JMP 70f7000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779907ac 3 bytes JMP 70fd000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000779907b0 2 bytes JMP 70fd000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000779907f4 3 bytes JMP 70f1000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000779907f8 2 bytes JMP 70f1000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077990884 3 bytes JMP 70f4000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077990888 2 bytes JMP 70f4000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799089c 3 bytes JMP 70c7000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779908a0 2 bytes JMP 70c7000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779908b4 3 bytes JMP 70be000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779908b8 2 bytes JMP 70be000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e04 3 bytes JMP 70dc000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077990e08 2 bytes JMP 70dc000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077990ee8 3 bytes JMP 70c4000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077990eec 2 bytes JMP 70c4000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991bf4 3 bytes JMP 70d9000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077991bf8 2 bytes JMP 70d9000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077991cc4 3 bytes JMP 70e8000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077991cc8 2 bytes JMP 70e8000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077991d9c 3 bytes JMP 70e5000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077991da0 2 bytes JMP 70e5000a .text E:\lle5nhrl.exe[4812] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779ac0f0 6 bytes JMP 71a8000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ff3be3 3 bytes JMP 719c000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ff3be7 2 bytes JMP 719c000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076ff9ae4 6 bytes JMP 7187000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000077003baa 6 bytes JMP 717e000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007700cd11 6 bytes JMP 718a000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007705dda6 6 bytes JMP 7184000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007705de49 6 bytes JMP 7181000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf8a7 6 bytes JMP 719f000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076ae2e0b 4 bytes CALL 71ac0000 .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076738342 6 bytes JMP 715d000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076738c0f 6 bytes JMP 7151000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000767390e3 6 bytes JMP 710c000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076739689 6 bytes JMP 714b000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000767397e2 6 bytes JMP 7145000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007673ee19 6 bytes JMP 7163000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007673efd9 3 bytes JMP 7112000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007673efdd 2 bytes JMP 7112000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767412b5 6 bytes JMP 7157000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007674292f 6 bytes JMP 712a000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SetParent 0000000076742d74 3 bytes JMP 7121000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076742d78 2 bytes JMP 7121000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076742db4 6 bytes JMP 7109000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000767436a8 3 bytes JMP 711e000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000767436ac 2 bytes JMP 711e000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076743bba 6 bytes JMP 715a000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076743c71 6 bytes JMP 7154000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076746120 6 bytes JMP 7160000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007674613e 6 bytes JMP 714e000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076746c40 6 bytes JMP 710f000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747613 6 bytes JMP 7166000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076747678 6 bytes JMP 7139000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000767476f0 6 bytes JMP 713f000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007674782f 6 bytes JMP 7148000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674836c 6 bytes JMP 7169000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007674c4c6 3 bytes JMP 711b000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007674c4ca 2 bytes JMP 711b000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007675c122 6 bytes JMP 7136000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007675d109 6 bytes JMP 7133000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007675ebb6 6 bytes JMP 7127000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007675ec88 3 bytes JMP 712d000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007675ec8c 2 bytes JMP 712d000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SendInput 000000007675ff6a 3 bytes JMP 7130000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007675ff6e 2 bytes JMP 7130000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076779fdb 6 bytes JMP 7115000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007678156b 6 bytes JMP 7106000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076790343 6 bytes JMP 716c000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076790387 6 bytes JMP 716f000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076796dc4 6 bytes JMP 7142000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076796e25 6 bytes JMP 713c000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076797e9f 3 bytes JMP 7118000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076797ea3 2 bytes JMP 7118000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000767989b3 3 bytes JMP 7124000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000767989b7 2 bytes JMP 7124000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000774f58b3 6 bytes JMP 718d000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000774f5ea5 6 bytes JMP 717b000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000774f7bcc 6 bytes JMP 7196000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000774fb98a 6 bytes JMP 7190000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000774fbd7d 6 bytes JMP 7172000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000774fcf11 6 bytes JMP 7178000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000774fe935 6 bytes JMP 7193000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077524aaa 6 bytes JMP 7175000a .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7700b263 C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7700b38e C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 770890f1 C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 76fe48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 770889ea C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 77088bc0 C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 770888e0 C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 77088caa C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 76fffce8 C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 77006937 C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 770891a9 C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 77088d0a C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 770888a4 C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 76fffd81 C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7700b324 C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 7708906c C:\Windows\syswow64\kernel32.dll .text E:\lle5nhrl.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 77088839 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\svchost.exe [468:412] 00000000019d0d3c Thread C:\Windows\system32\svchost.exe [468:380] 00000000019d0d3c Thread C:\Windows\system32\svchost.exe [468:1564] 00000000019d0d3c Thread C:\Windows\system32\svchost.exe [468:1776] 00000000019c7378 Thread C:\Windows\system32\svchost.exe [468:1772] 00000000019c7378 Thread C:\Windows\system32\svchost.exe [468:2684] 0000000001c10c8c Thread C:\Windows\system32\svchost.exe [468:2672] 0000000001c10c8c Thread C:\Windows\system32\svchost.exe [468:2668] 0000000001c10c8c Thread C:\Windows\system32\svchost.exe [468:2744] 0000000001c07378 Thread C:\Windows\system32\svchost.exe [468:2728] 0000000001c07378 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{386C31E9-E583-4C0D-A6E7-21904AB939CF}\Connection@Name isatap.{30CD6F29-8330-4C4F-91C0-65AF23D16C00} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{D823DEC9-0D79-4829-A0E4-0A183BC22C54}?\Device\{328F7B0F-9EA7-4B14-A8F7-39FB2CBBC86E}?\Device\{995AA0D6-4007-4E73-B6EA-E8577171C4B0}?\Device\{386C31E9-E583-4C0D-A6E7-21904AB939CF}?\Device\{FB14E4FA-45CA-4A52-BD59-A470AC743A92}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{D823DEC9-0D79-4829-A0E4-0A183BC22C54}"?"{328F7B0F-9EA7-4B14-A8F7-39FB2CBBC86E}"?"{995AA0D6-4007-4E73-B6EA-E8577171C4B0}"?"{386C31E9-E583-4C0D-A6E7-21904AB939CF}"?"{FB14E4FA-45CA-4A52-BD59-A470AC743A92}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{D823DEC9-0D79-4829-A0E4-0A183BC22C54}?\Device\TCPIP6TUNNEL_{328F7B0F-9EA7-4B14-A8F7-39FB2CBBC86E}?\Device\TCPIP6TUNNEL_{995AA0D6-4007-4E73-B6EA-E8577171C4B0}?\Device\TCPIP6TUNNEL_{386C31E9-E583-4C0D-A6E7-21904AB939CF}?\Device\TCPIP6TUNNEL_{FB14E4FA-45CA-4A52-BD59-A470AC743A92}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9cb70dee10ed Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9cb70dee10ed@f04347e0471a 0x90 0xE2 0x24 0x8A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbab1aa4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{386C31E9-E583-4C0D-A6E7-21904AB939CF}@InterfaceName isatap.{30CD6F29-8330-4C4F-91C0-65AF23D16C00} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{386C31E9-E583-4C0D-A6E7-21904AB939CF}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9cb70dee10ed (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9cb70dee10ed@f04347e0471a 0x90 0xE2 0x24 0x8A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbab1aa4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.2 ----