GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-02 14:24:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-6 ST31000524AS rev.JC45 931.51GB Running: m57g1hli.exe; Driver: C:\Users\Karol\AppData\Local\Temp\pwlyypog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077806ef0 6 bytes {JMP QWORD [RIP+0x8b99140]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077808184 6 bytes {JMP QWORD [RIP+0x8c77eac]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SetParent 0000000077808530 6 bytes {JMP QWORD [RIP+0x8bb7b00]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!PostMessageA 000000007780a404 6 bytes {JMP QWORD [RIP+0x8955c2c]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!EnableWindow 000000007780aaa0 6 bytes {JMP QWORD [RIP+0x8cb5590]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!MoveWindow 000000007780aad0 6 bytes {JMP QWORD [RIP+0x8bd5560]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007780c720 6 bytes {JMP QWORD [RIP+0x8b73910]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007780cd50 6 bytes {JMP QWORD [RIP+0x8c532e0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007780d2b0 6 bytes {JMP QWORD [RIP+0x8992d80]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SendMessageA 000000007780d338 6 bytes {JMP QWORD [RIP+0x89d2cf8]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007780dc40 6 bytes {JMP QWORD [RIP+0x8ab23f0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007780f510 6 bytes {JMP QWORD [RIP+0x8c90b20]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007780f874 6 bytes {JMP QWORD [RIP+0x89107bc]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007780fac0 6 bytes {JMP QWORD [RIP+0x8a30570]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077810b74 6 bytes {JMP QWORD [RIP+0x89af4bc]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077814d4d 5 bytes {JMP QWORD [RIP+0x892b2e4]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!GetKeyState 0000000077815010 6 bytes {JMP QWORD [RIP+0x8b4b020]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077815438 6 bytes {JMP QWORD [RIP+0x8a6abf8]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SendMessageW 0000000077816b50 6 bytes {JMP QWORD [RIP+0x89e94e0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!PostMessageW 00000000778176e4 6 bytes {JMP QWORD [RIP+0x896894c]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007781dd90 6 bytes {JMP QWORD [RIP+0x8ae22a0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!GetClipboardData 000000007781e874 6 bytes {JMP QWORD [RIP+0x8c217bc]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007781f780 6 bytes {JMP QWORD [RIP+0x8be08b0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000778228e4 6 bytes {JMP QWORD [RIP+0x8a7d74c]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!mouse_event 0000000077823894 6 bytes {JMP QWORD [RIP+0x88bc79c]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077828a10 6 bytes {JMP QWORD [RIP+0x8b17620]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077828be0 6 bytes {JMP QWORD [RIP+0x89f7450]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077828c20 6 bytes {JMP QWORD [RIP+0x88d7410]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SendInput 0000000077828cd0 6 bytes {JMP QWORD [RIP+0x8af7360]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!BlockInput 000000007782ad60 6 bytes {JMP QWORD [RIP+0x8bf52d0]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000778514e0 6 bytes {JMP QWORD [RIP+0x8c8eb50]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!keybd_event 00000000778745a4 6 bytes {JMP QWORD [RIP+0x884ba8c]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007787cc08 6 bytes {JMP QWORD [RIP+0x8a63428]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007787df18 6 bytes {JMP QWORD [RIP+0x89e2118]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\wininit.exe[528] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\services.exe[616] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\services.exe[616] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed46bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077806ef0 6 bytes {JMP QWORD [RIP+0x8b99140]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077808184 6 bytes {JMP QWORD [RIP+0x8c77eac]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SetParent 0000000077808530 6 bytes {JMP QWORD [RIP+0x8bb7b00]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!PostMessageA 000000007780a404 6 bytes {JMP QWORD [RIP+0x8955c2c]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!EnableWindow 000000007780aaa0 6 bytes {JMP QWORD [RIP+0x8cb5590]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!MoveWindow 000000007780aad0 6 bytes {JMP QWORD [RIP+0x8bd5560]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007780c720 6 bytes {JMP QWORD [RIP+0x8b73910]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007780cd50 6 bytes {JMP QWORD [RIP+0x8c532e0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007780d2b0 6 bytes {JMP QWORD [RIP+0x8992d80]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendMessageA 000000007780d338 6 bytes {JMP QWORD [RIP+0x89d2cf8]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007780dc40 6 bytes {JMP QWORD [RIP+0x8ab23f0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007780f510 6 bytes {JMP QWORD [RIP+0x8c90b20]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007780f874 6 bytes {JMP QWORD [RIP+0x89107bc]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007780fac0 6 bytes {JMP QWORD [RIP+0x8a30570]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077810b74 6 bytes {JMP QWORD [RIP+0x89af4bc]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077814d4d 5 bytes {JMP QWORD [RIP+0x892b2e4]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!GetKeyState 0000000077815010 6 bytes {JMP QWORD [RIP+0x8b4b020]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077815438 6 bytes {JMP QWORD [RIP+0x8a6abf8]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendMessageW 0000000077816b50 6 bytes {JMP QWORD [RIP+0x89e94e0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!PostMessageW 00000000778176e4 6 bytes {JMP QWORD [RIP+0x896894c]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007781dd90 6 bytes {JMP QWORD [RIP+0x8ae22a0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!GetClipboardData 000000007781e874 6 bytes {JMP QWORD [RIP+0x8c217bc]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007781f780 6 bytes {JMP QWORD [RIP+0x8be08b0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000778228e4 6 bytes {JMP QWORD [RIP+0x8a7d74c]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!mouse_event 0000000077823894 6 bytes {JMP QWORD [RIP+0x88bc79c]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077828a10 6 bytes {JMP QWORD [RIP+0x8b17620]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077828be0 6 bytes {JMP QWORD [RIP+0x89f7450]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077828c20 6 bytes {JMP QWORD [RIP+0x88d7410]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendInput 0000000077828cd0 6 bytes {JMP QWORD [RIP+0x8af7360]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!BlockInput 000000007782ad60 6 bytes {JMP QWORD [RIP+0x8bf52d0]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000778514e0 6 bytes {JMP QWORD [RIP+0x8c8eb50]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!keybd_event 00000000778745a4 6 bytes {JMP QWORD [RIP+0x884ba8c]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007787cc08 6 bytes {JMP QWORD [RIP+0x8a63428]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007787df18 6 bytes {JMP QWORD [RIP+0x89e2118]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes JMP 1e35050 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes JMP af10a .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa1a0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[628] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff21fa50 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed46bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 9 .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0x17dd64]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x19db70]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x1ba450]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0x137c98]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x117668]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0x156cec]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x1f4648]} .text C:\Windows\system32\nvvsvc.exe[824] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x1cac20]} .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077aff9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077affc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077affd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077affdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077affea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077afff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077afffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 3 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077b00068 2 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b00098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077b0039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 3 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077b00534 2 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077b00678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077b00870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077b00888 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077b00dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077b00ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077b01bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077b01c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077b01d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007603103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076031072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007605c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007560f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075612c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077682538 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776852e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000769658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076965ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076967bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007696b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007696c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007696cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007696e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076994646 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[848] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes JMP 7130000a .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed46bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa1a0 6 bytes {JMP QWORD [RIP+0x2b5e90]} .text C:\Windows\system32\svchost.exe[884] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff21fa50 6 bytes JMP 0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077951490 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa1a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff21fa50 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 5b000038 .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa1a0 6 bytes {JMP QWORD [RIP+0x2b5e90]} .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff21fa50 6 bytes {JMP QWORD [RIP+0x2b05e0]} .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes JMP 87255c1 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes JMP c274c295 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes JMP 8c4eaa8 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes JMP 8be16d1 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes JMP 8cee9d0 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes JMP 109aa24 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes JMP 8efe218 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes JMP 8bce7c8 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes JMP 1091dc8 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes JMP 8be0bd1 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes JMP 8dfd091 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes JMP ce5c0 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes JMP 9fac0 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes JMP 8d6d860 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes JMP 8be2851 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes JMP 10dcb1d .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes JMP 8d5a910 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes JMP 8cad590 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes JMP 8c10940 .text C:\Windows\System32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes JMP 8c09dd0 .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes JMP c274c274 .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes JMP 894fba9 .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes JMP 360033 .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 0 .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes JMP 310032 .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes JMP 4d837fe0 .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes JMP 7fe .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes JMP 131960 .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa1a0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff21fa50 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes JMP 1000c .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes JMP 50005c .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed46bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa1a0 6 bytes JMP 4134 .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff21fa50 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\System32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\System32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\System32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\AUDIODG.EXE[1112] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0x17dd64]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes JMP 1000c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes JMP 70000 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0x137c98]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x117668]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0x156cec]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x1f4648]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1304] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x1cac20]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x1ba450]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x1f4648]} .text C:\Windows\system32\nvvsvc.exe[1312] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x1cac20]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 5b000038 .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\spoolsv.exe[1500] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed46bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa1a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff21fa50 6 bytes JMP 7394eb01 .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 9 .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa1a0 6 bytes {JMP QWORD [RIP+0x2b5e90]} .text C:\Windows\system32\taskhost.exe[1708] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff21fa50 6 bytes {JMP QWORD [RIP+0x2b05e0]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077aff9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077affc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077affd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077affdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077affea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077afff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077afffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077b00068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b00098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077b0039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077b00534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077b00678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077b00870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077b00888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077b00dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077b00ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077b01bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077b01c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077b01d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007603103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076031072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007605c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007560f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075612c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000769658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076965ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076967bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007696b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007696c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007696cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007696e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076994646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077682538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1776] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776852e9 6 bytes JMP 7193000a .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes JMP 61437869 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes JMP 0 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077aff9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077affc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077affd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077affdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077affea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077afff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077afffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 3 bytes JMP 7109000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077b00068 2 bytes JMP 7109000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b00098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077b0039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 3 bytes JMP 710f000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077b00534 2 bytes JMP 710f000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077b00678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077b00870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 3 bytes JMP 70df000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077b00888 2 bytes JMP 70df000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077b00dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077b00ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077b01bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077b01c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077b01d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007603103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076031072 6 bytes JMP 7199000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007605c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007560f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075612c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes JMP 7112000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000769658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076965ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076967bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007696b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007696c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007696cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007696e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076994646 6 bytes JMP 717b000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077682538 6 bytes JMP 7196000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[1876] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776852e9 6 bytes JMP 7193000a .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 5b000038 .text C:\Windows\Explorer.EXE[1884] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\Explorer.EXE[1884] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1884] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x19db70]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x1ba450]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0x137c98]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x117668]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0x156cec]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x1f4648]} .text C:\Windows\Explorer.EXE[1884] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x1cac20]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes JMP 701b .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\taskeng.exe[1956] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 3 bytes JMP 71af000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077aff9c4 2 bytes JMP 71af000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 3 bytes JMP 7100000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077affc94 2 bytes JMP 7100000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 3 bytes JMP 70eb000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077affd48 2 bytes JMP 70eb000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 3 bytes JMP 70f1000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077affdac 2 bytes JMP 70f1000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 3 bytes JMP 70e8000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077affea4 2 bytes JMP 70e8000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 3 bytes JMP 70f4000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077afff88 2 bytes JMP 70f4000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 3 bytes JMP 710c000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077afffe8 2 bytes JMP 710c000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 3 bytes JMP 7109000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077b00068 2 bytes JMP 7109000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 3 bytes JMP 70ee000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b00098 2 bytes JMP 70ee000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 3 bytes JMP 70dc000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077b0039c 2 bytes JMP 70dc000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 3 bytes JMP 710f000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077b00534 2 bytes JMP 710f000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 3 bytes JMP 70fd000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077b00678 2 bytes JMP 70fd000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 3 bytes JMP 70e5000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077b00870 2 bytes JMP 70e5000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 3 bytes JMP 70df000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077b00888 2 bytes JMP 70df000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 3 bytes JMP 70fa000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077b00dd8 2 bytes JMP 70fa000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 3 bytes JMP 70e2000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077b00ebc 2 bytes JMP 70e2000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 3 bytes JMP 70f7000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077b01bc8 2 bytes JMP 70f7000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 3 bytes JMP 7106000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077b01c98 2 bytes JMP 7106000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 3 bytes JMP 7103000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077b01d70 2 bytes JMP 7103000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 6 bytes JMP 71a8000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007603103d 6 bytes JMP 719c000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076031072 6 bytes JMP 7199000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007605c9b5 6 bytes JMP 7190000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007560f776 6 bytes JMP 719f000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075612c91 4 bytes CALL 71ac0000 .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes JMP 715d000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes JMP 7118000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes JMP 7157000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes JMP 7151000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 7169000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes JMP 711e000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes JMP 711e000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes JMP 7163000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes JMP 7136000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes JMP 712d000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes JMP 712d000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes JMP 7115000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes JMP 712a000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes JMP 712a000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes JMP 7166000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes JMP 7160000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes JMP 715a000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes JMP 711b000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 716c000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes JMP 7145000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes JMP 714b000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes JMP 7154000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 716f000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes JMP 7127000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes JMP 7127000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes JMP 7142000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes JMP 713f000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes JMP 7133000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes JMP 7139000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes JMP 7139000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes JMP 713c000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes JMP 713c000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes JMP 7121000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes JMP 7112000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes JMP 7172000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes JMP 7175000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes JMP 714e000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes JMP 7148000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes JMP 7124000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes JMP 7124000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes JMP 7130000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes JMP 7130000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000769658b3 6 bytes JMP 7184000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076965ea6 6 bytes JMP 7181000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076967bcc 6 bytes JMP 718d000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007696b895 6 bytes JMP 7178000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007696c332 6 bytes JMP 717e000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007696cbfb 6 bytes JMP 7187000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007696e743 6 bytes JMP 718a000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076994646 6 bytes JMP 717b000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077682538 6 bytes JMP 7196000a .text C:\ASUS.SYS\config\DVMExportService.exe[1988] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776852e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077aff9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077affc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077affd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077affdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077affea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077afff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077afffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077b00068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b00098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077b0039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077b00534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077b00678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077b00870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077b00888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077b00dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077b00ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077b01bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077b01c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077b01d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007603103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076031072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007605c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007560f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075612c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077682538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776852e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000769658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076965ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076967bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007696b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007696c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007696cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007696e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076994646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075751465 2 bytes [75, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757514bb 2 bytes [75, 75] .text ... * 2 .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\taskeng.exe[576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\taskeng.exe[576] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\taskeng.exe[576] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077aff9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077affc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077affd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077affdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077affea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077afff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077afffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 3 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077b00068 2 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b00098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077b0039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 3 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077b00534 2 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077b00678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077b00870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077b00888 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077b00dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077b00ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077b01bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077b01c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077b01d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007603103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076031072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007605c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007560f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075612c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000769658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076965ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076967bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007696b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007696c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007696cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007696e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076994646 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077682538 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776852e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075751465 2 bytes [75, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757514bb 2 bytes [75, 75] .text ... * 2 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077aff9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077affc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077affd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077affdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077affea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077afff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077afffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077b00068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b00098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077b0039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077b00534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077b00678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077b00870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077b00888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077b00dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077b00ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077b01bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077b01c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077b01d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007603103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076031072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007605c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007560f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075612c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077682538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776852e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000769658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076965ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076967bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007696b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007696c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007696cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007696e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2100] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076994646 6 bytes JMP 717b000a .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[2244] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[2244] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[2244] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2244] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa1a0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff21fa50 6 bytes JMP 2b05c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes JMP 1000100 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x19db70]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x1ba450]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes JMP 9b9 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x117668]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0x156cec]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x1f4648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2348] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x1cac20]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077aff9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077affc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077affd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077affdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077affea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077afff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077afffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 3 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077b00068 2 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b00098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077b0039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 3 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077b00534 2 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077b00678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077b00870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077b00888 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077b00dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077b00ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077b01bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077b01c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077b01d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007603103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076031072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007605c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007560f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075612c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077682538 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776852e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000769658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076965ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076967bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007696b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007696c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007696cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007696e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076994646 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077aff9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077affc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077affd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077affdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077affea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077afff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077afffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 3 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077b00068 2 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b00098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077b0039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 3 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077b00534 2 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077b00678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077b00870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077b00888 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077b00dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077b00ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077b01bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077b01c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077b01d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007603103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076031072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007605c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007560f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075612c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000769658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076965ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076967bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007696b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007696c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007696cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007696e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076994646 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077682538 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2604] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776852e9 6 bytes JMP 7193000a .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 09] .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0D] .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0x17dd64]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes JMP 3db0c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x77a450]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0x137c98]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x117668]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0x156cec]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x7b4648]} .text C:\Program Files\Windows Sidebar\sidebar.exe[2612] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x78ac20]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes JMP 720065 .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\RunDll32.exe[2644] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077aff9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077affc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077affd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077affdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077affea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077afff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077afffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 3 bytes JMP 7109000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077b00068 2 bytes JMP 7109000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b00098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077b0039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 3 bytes JMP 710f000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077b00534 2 bytes JMP 710f000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077b00678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077b00870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 3 bytes JMP 70df000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077b00888 2 bytes JMP 70df000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077b00dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077b00ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077b01bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077b01c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077b01d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007603103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076031072 6 bytes JMP 7199000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007605c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007560f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075612c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes JMP 7112000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000769658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076965ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076967bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007696b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007696c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007696cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007696e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076994646 6 bytes JMP 717b000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077682538 6 bytes JMP 7196000a .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2880] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776852e9 6 bytes JMP 7193000a .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3004] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 5b000038 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3004] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3004] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0x17dd64]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3004] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x19db70]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3004] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x1ba450]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3004] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0x137c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3004] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x117668]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3004] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0x156cec]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3004] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3004] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes JMP 0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077aff9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077affc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077affd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077affdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077affea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077afff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077afffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 3 bytes JMP 7109000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077b00068 2 bytes JMP 7109000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b00098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077b0039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 3 bytes JMP 710f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077b00534 2 bytes JMP 710f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077b00678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077b00870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 3 bytes JMP 70df000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077b00888 2 bytes JMP 70df000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077b00dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077b00ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077b01bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077b01c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077b01d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007603103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076031072 6 bytes JMP 7199000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007605c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007560f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075612c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes JMP 7112000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000769658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076965ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076967bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007696b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007696c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007696cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007696e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076994646 6 bytes JMP 717b000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077682538 6 bytes JMP 7196000a .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776852e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077aff9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077affc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077affd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077affdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077affea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077afff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077afffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077b00068 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b00098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077b0039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077b00534 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077b00678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077b00870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077b00888 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077b00dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077b00ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077b01bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077b01c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077b01d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007603103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076031072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007605c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007560f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075612c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077682538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776852e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000769658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076965ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076967bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007696b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007696c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007696cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007696e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076994646 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3032] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes JMP 7130000a .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 5b000038 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x23db70]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x25a450]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0x1d7c98]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x1b7668]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0x1f6cec]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2080] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x26ac20]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes JMP 701b .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\wbem\wmiprvse.exe[2304] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\svchost.exe[3212] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[3212] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[3212] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[3212] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[3212] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[3212] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[3212] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[3212] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[3212] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3212] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa1a0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff21fa50 6 bytes JMP 0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000776ea420 6 bytes {JMP QWORD [RIP+0x89b5c10]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077701b50 6 bytes {JMP QWORD [RIP+0x895e4e0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077778810 6 bytes {JMP QWORD [RIP+0x8907820]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes JMP 0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes JMP 53737345 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes JMP 1ba470 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes JMP 0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes JMP 0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes JMP 0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes JMP 0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4076] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes JMP 1cac20 .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077923ae0 6 bytes {JMP QWORD [RIP+0x871c550]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077951400 6 bytes {JMP QWORD [RIP+0x86cec30]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779515d0 6 bytes {JMP QWORD [RIP+0x8c4ea60]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077951640 6 bytes {JMP QWORD [RIP+0x8d2e9f0]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077951680 6 bytes {JMP QWORD [RIP+0x8cee9b0]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077951720 6 bytes {JMP QWORD [RIP+0x8d4e910]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779517b0 6 bytes {JMP QWORD [RIP+0x8cce880]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779517f0 6 bytes {JMP QWORD [RIP+0x8bce840]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077951840 6 bytes {JMP QWORD [RIP+0x8bee7f0]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077951860 6 bytes {JMP QWORD [RIP+0x8d0e7d0]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077951a50 6 bytes {JMP QWORD [RIP+0x8dce5e0]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077951b60 6 bytes {JMP QWORD [RIP+0x8bae4d0]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077951c30 6 bytes {JMP QWORD [RIP+0x8c6e400]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077951d80 6 bytes {JMP QWORD [RIP+0x8d6e2b0]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077951d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077952100 6 bytes {JMP QWORD [RIP+0x8c8df30]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077952190 6 bytes {JMP QWORD [RIP+0x8d8dea0]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077952a00 6 bytes {JMP QWORD [RIP+0x8cad630]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077952a80 6 bytes {JMP QWORD [RIP+0x8c0d5b0]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077952b00 6 bytes {JMP QWORD [RIP+0x8c2d530]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd7a9aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7b5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9422cc 6 bytes {JMP QWORD [RIP+0xfdd64]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe9424c0 6 bytes {JMP QWORD [RIP+0x11db70]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe945be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe948398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9489c8 6 bytes JMP 8f66 .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe949344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe94b9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe955410 6 bytes {JMP QWORD [RIP+0x14ac20]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff1fa1a0 6 bytes {JMP QWORD [RIP+0x2b5e90]} .text C:\Windows\system32\DllHost.exe[4160] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff21fa50 6 bytes {JMP QWORD [RIP+0x2b05e0]} .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077aff9c0 3 bytes JMP 71af000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077aff9c4 2 bytes JMP 71af000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077affc90 3 bytes JMP 7100000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077affc94 2 bytes JMP 7100000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077affd44 3 bytes JMP 70eb000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077affd48 2 bytes JMP 70eb000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077affda8 3 bytes JMP 70f1000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077affdac 2 bytes JMP 70f1000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077affea0 3 bytes JMP 70e8000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077affea4 2 bytes JMP 70e8000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077afff84 3 bytes JMP 70f4000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077afff88 2 bytes JMP 70f4000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077afffe4 3 bytes JMP 710c000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077afffe8 2 bytes JMP 710c000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077b00064 3 bytes JMP 7109000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077b00068 2 bytes JMP 7109000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b00094 3 bytes JMP 70ee000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b00098 2 bytes JMP 70ee000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077b00398 3 bytes JMP 70dc000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077b0039c 2 bytes JMP 70dc000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b00530 3 bytes JMP 710f000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077b00534 2 bytes JMP 710f000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077b00674 3 bytes JMP 70fd000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077b00678 2 bytes JMP 70fd000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b0086c 3 bytes JMP 70e5000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077b00870 2 bytes JMP 70e5000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077b00884 3 bytes JMP 70df000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077b00888 2 bytes JMP 70df000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077b00dd4 3 bytes JMP 70fa000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077b00dd8 2 bytes JMP 70fa000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077b00eb8 3 bytes JMP 70e2000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077b00ebc 2 bytes JMP 70e2000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077b01bc4 3 bytes JMP 70f7000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077b01bc8 2 bytes JMP 70f7000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077b01c94 3 bytes JMP 7106000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077b01c98 2 bytes JMP 7106000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077b01d6c 3 bytes JMP 7103000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077b01d70 2 bytes JMP 7103000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b21217 6 bytes JMP 71a8000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007603103d 6 bytes JMP 719c000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076031072 6 bytes JMP 7199000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007605c9b5 6 bytes JMP 7190000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007560f776 6 bytes JMP 719f000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075612c91 4 bytes CALL 71ac0000 .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes JMP 715d000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes JMP 7118000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes JMP 7157000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes JMP 7151000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 7169000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes JMP 711e000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes JMP 711e000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes JMP 7163000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes JMP 7136000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes JMP 712d000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes JMP 712d000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes JMP 7115000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes JMP 712a000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes JMP 712a000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes JMP 7166000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes JMP 7160000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes JMP 715a000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes JMP 711b000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 716c000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes JMP 7145000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes JMP 714b000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes JMP 7154000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 716f000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes JMP 7127000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes JMP 7127000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes JMP 7142000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes JMP 713f000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes JMP 7133000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes JMP 7139000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes JMP 7139000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes JMP 713c000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes JMP 713c000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes JMP 7121000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes JMP 7112000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes JMP 7172000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes JMP 7175000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes JMP 714e000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes JMP 7148000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes JMP 7124000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes JMP 7124000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes JMP 7130000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes JMP 7130000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000769658b3 6 bytes JMP 7184000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076965ea6 6 bytes JMP 7181000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076967bcc 6 bytes JMP 718d000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007696b895 6 bytes JMP 7178000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007696c332 6 bytes JMP 717e000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007696cbfb 6 bytes JMP 7187000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007696e743 6 bytes JMP 718a000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076994646 6 bytes JMP 717b000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000077682538 6 bytes JMP 7196000a .text C:\Users\Karol\Desktop\m57g1hli.exe[4244] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776852e9 6 bytes JMP 7193000a ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!_initterm] [6200750070002f] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!_XcptFilter] [6800730069006c] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!malloc] [62006f00640065] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!_amsg_exit] [6e00650067002f] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!_wcsicmp] [65006e00690075] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!memmove] [6f0066006e0069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!_vsnwprintf] [6300610066002f] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!free] [790072006f0074] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!??2@YAPEAX_K@Z] [9090909090900000] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!_purecall] [7400660073006d] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!??_V@YAXPEAX@Z] [7000700073003a] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!_unlock] [6200750070002f] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!__dllonexit] [6800730069006c] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!_lock] [62006f00640065] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!_onexit] [7400630065006a] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!__CxxFrameHandler3] [6500760065002f] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!memcpy] [61006d0074006e] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!??3@YAXPEAX@Z] [6500670061006e] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!memset] [9090909000000072] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[msvcrt.dll!??_U@YAPEAX_K@Z] [75007000700073] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!EtwGetTraceLoggerHandle] [7900660069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!EtwGetTraceEnableLevel] [9090909090909090] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!EtwGetTraceEnableFlags] [540046004f0053] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!NtQueryInformationToken] [45005200410057] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!RtlLengthRequiredSid] [630069004d005c] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!RtlInitializeSid] [6f0073006f0072] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!RtlSubAuthoritySid] [57005c00740066] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!RtlCaptureContext] [6f0064006e0069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!RtlLookupFunctionEntry] [4e002000730077] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!RtlVirtualUnwind] [750043005c0054] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!RtlFreeHeap] [6e006500720072] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!RtlNtStatusToDosError] [72006500560074] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!RtlAllocateAndInitializeSid] [6e006f00690073] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!EtwTraceMessage] [66006f0053005c] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!EtwUnregisterTraceGuids] [72006100770074] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ntdll.dll!EtwRegisterTraceGuidsW] [6f007200500065] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [50006e006f0069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!GetCurrentProcessId] [6600740061006c] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!GetCurrentThreadId] [6d0072006f] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!GetTickCount] [7400660073006d] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!QueryPerformanceCounter] [2f006d0072003a] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!Sleep] [6e006500760065] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!TerminateProcess] [69006c002f0074] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!GetCurrentProcess] [73006e00650063] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [730067006e0069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!UnhandledExceptionFilter] [65007400610074] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!CloseHandle] [6e006100680063] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!GetCurrentThread] [6400650067] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!DisableThreadLibraryCalls] [74006100630069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!RaiseException] [46006e006f0069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!GetLastError] [4e007000700053] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!GetProcessHeap] [6600690074006f] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!HeapFree] [74006100630069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!LocalFree] [4e007900740072] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!LocalAlloc] [65006d0061] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[KERNEL32.dll!GetVersionExA] [42005f004c0053] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!RegEnumKeyExW] [49004d004d004f] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!SetSecurityInfo] [9090909000000054] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!AddAccessAllowedAceEx] [4e007000700053] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!InitializeAcl] [6600690074006f] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!GetLengthSid] [74006100630069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!ConvertStringSidToSidW] [53006e006f0069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!RegCopyTreeW] [6400490075006b] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!RegDeleteTreeW] [9090909090900000] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!RegCreateKeyExW] [42007000700053] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!RegSetValueExW] [690064006e0069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!RegQueryValueExW] [6b00530067006e] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!ConvertSidToStringSidW] [6400490075] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!RegOpenKeyExW] [50007000700053] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!RegQueryInfoKeyW] [4200790065006b] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!RegCloseKey] [690064006e0069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!OpenProcessToken] [6900500067006e] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!AllocateAndInitializeSid] [9090000000340064] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!CheckTokenMembership] [4e007000700053] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!OpenThreadToken] [6600690074006f] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ADVAPI32.dll!FreeSid] [74006100630069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[USER32.dll!UnregisterClassA] [4900790065004b] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[USER32.dll!CharUpperBuffW] [9090909000000064] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ole32.dll!IIDFromString] [6600690074006f] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ole32.dll!PropVariantClear] [74006100630069] IAT C:\Windows\system32\DllHost.exe[4160] @ C:\Windows\System32\IDStore.dll[ole32.dll!CoCreateInstance] [48006e006f0069] ---- EOF - GMER 2.1 ----