GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-14 00:49:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000076 ATA_____ rev.SDM1 298,09GB Running: gmer.exe; Driver: C:\Users\Maka\AppData\Local\Temp\kftciaog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800037a2000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff800037a202f 16 bytes [00, 3D, 45, 10, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776c13c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776c15c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89ac550]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes {JMP QWORD [RIP+0x895ec30]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes {JMP QWORD [RIP+0x8edea60]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x8fbe9f0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes {JMP QWORD [RIP+0x8f7e9b0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x8fde910]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes {JMP QWORD [RIP+0x8f5e880]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes {JMP QWORD [RIP+0x8e5e840]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e7e7f0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes {JMP QWORD [RIP+0x8f9e7d0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x905e5e0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e3e4d0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8efe400]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x8ffe2b0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes {JMP QWORD [RIP+0x903e2a0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes {JMP QWORD [RIP+0x8f1df30]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x901dea0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes {JMP QWORD [RIP+0x8f3d630]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8e9d5b0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes {JMP QWORD [RIP+0x8ebd530]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077456ef0 4 bytes [FF, 25, 40, 91] .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!RegisterRawInputDevices + 5 0000000077456ef5 1 byte [08] .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077458184 6 bytes {JMP QWORD [RIP+0x9027eac]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SetParent 0000000077458530 6 bytes {JMP QWORD [RIP+0x8f67b00]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!PostMessageA 000000007745a404 6 bytes {JMP QWORD [RIP+0x8d05c2c]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!EnableWindow 000000007745aaa0 6 bytes {JMP QWORD [RIP+0x9065590]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!MoveWindow 000000007745aad0 6 bytes {JMP QWORD [RIP+0x8f85560]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007745c720 6 bytes {JMP QWORD [RIP+0x8f23910]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007745cd50 6 bytes {JMP QWORD [RIP+0x90032e0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007745d2b0 6 bytes {JMP QWORD [RIP+0x8d42d80]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SendMessageA 000000007745d338 6 bytes {JMP QWORD [RIP+0x8d82cf8]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007745dc40 6 bytes {JMP QWORD [RIP+0x8e623f0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007745f510 6 bytes {JMP QWORD [RIP+0x9040b20]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007745f874 6 bytes {JMP QWORD [RIP+0x8cc07bc]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007745fac0 6 bytes {JMP QWORD [RIP+0x8de0570]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077460b74 6 bytes {JMP QWORD [RIP+0x8d5f4bc]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077464d4d 5 bytes {JMP QWORD [RIP+0x8cdb2e4]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!GetKeyState 0000000077465010 6 bytes {JMP QWORD [RIP+0x8efb020]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077465438 6 bytes {JMP QWORD [RIP+0x8e1abf8]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SendMessageW 0000000077466b50 6 bytes {JMP QWORD [RIP+0x8d994e0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!PostMessageW 00000000774676e4 6 bytes {JMP QWORD [RIP+0x8d1894c]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007746dd90 6 bytes {JMP QWORD [RIP+0x8e922a0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!GetClipboardData 000000007746e874 6 bytes {JMP QWORD [RIP+0x8fd17bc]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007746f780 6 bytes {JMP QWORD [RIP+0x8f908b0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774728e4 6 bytes {JMP QWORD [RIP+0x8e2d74c]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!mouse_event 0000000077473894 6 bytes {JMP QWORD [RIP+0x8c6c79c]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077478a10 6 bytes {JMP QWORD [RIP+0x8ec7620]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077478be0 6 bytes {JMP QWORD [RIP+0x8da7450]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077478c20 6 bytes {JMP QWORD [RIP+0x8c87410]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SendInput 0000000077478cd0 6 bytes {JMP QWORD [RIP+0x8ea7360]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!BlockInput 000000007747ad60 6 bytes {JMP QWORD [RIP+0x8fa52d0]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774a14e0 6 bytes {JMP QWORD [RIP+0x903eb50]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!keybd_event 00000000774c45a4 6 bytes {JMP QWORD [RIP+0x8bfba8c]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000774ccc08 6 bytes {JMP QWORD [RIP+0x8e13428]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000774cdf18 6 bytes {JMP QWORD [RIP+0x8d92118]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\wininit.exe[704] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\system32\csrss.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776c13c0 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776c15c0 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89ac550]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes {JMP QWORD [RIP+0x895ec30]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes {JMP QWORD [RIP+0x8edea60]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x8fbe9f0]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes {JMP QWORD [RIP+0x8f7e9b0]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x8fde910]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes {JMP QWORD [RIP+0x8f5e880]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes {JMP QWORD [RIP+0x8e5e840]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e7e7f0]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes {JMP QWORD [RIP+0x8f9e7d0]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x905e5e0]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e3e4d0]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8efe400]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x8ffe2b0]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes {JMP QWORD [RIP+0x903e2a0]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes {JMP QWORD [RIP+0x8f1df30]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x901dea0]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes {JMP QWORD [RIP+0x8f3d630]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8e9d5b0]} .text C:\Windows\system32\services.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes {JMP QWORD [RIP+0x8ebd530]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\services.exe[780] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\services.exe[780] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef26bd0 6 bytes {JMP QWORD [RIP+0x139460]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077456ef0 4 bytes [FF, 25, 40, 91] .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!RegisterRawInputDevices + 5 0000000077456ef5 1 byte [08] .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077458184 6 bytes {JMP QWORD [RIP+0x9027eac]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SetParent 0000000077458530 6 bytes {JMP QWORD [RIP+0x8f67b00]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!PostMessageA 000000007745a404 6 bytes {JMP QWORD [RIP+0x8d05c2c]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!EnableWindow 000000007745aaa0 6 bytes {JMP QWORD [RIP+0x9065590]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!MoveWindow 000000007745aad0 6 bytes {JMP QWORD [RIP+0x8f85560]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007745c720 6 bytes {JMP QWORD [RIP+0x8f23910]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007745cd50 6 bytes {JMP QWORD [RIP+0x90032e0]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007745d2b0 6 bytes {JMP QWORD [RIP+0x8d42d80]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SendMessageA 000000007745d338 6 bytes {JMP QWORD [RIP+0x8d82cf8]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007745dc40 6 bytes {JMP QWORD [RIP+0x8e623f0]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007745f510 6 bytes {JMP QWORD [RIP+0x9040b20]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007745f874 6 bytes {JMP QWORD [RIP+0x8cc07bc]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007745fac0 6 bytes {JMP QWORD [RIP+0x8de0570]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077460b74 6 bytes {JMP QWORD [RIP+0x8d5f4bc]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077464d4d 5 bytes {JMP QWORD [RIP+0x8cdb2e4]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!GetKeyState 0000000077465010 6 bytes {JMP QWORD [RIP+0x8efb020]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077465438 6 bytes {JMP QWORD [RIP+0x8e1abf8]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SendMessageW 0000000077466b50 6 bytes {JMP QWORD [RIP+0x8d994e0]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!PostMessageW 00000000774676e4 6 bytes {JMP QWORD [RIP+0x8d1894c]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007746dd90 6 bytes {JMP QWORD [RIP+0x8e922a0]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!GetClipboardData 000000007746e874 6 bytes {JMP QWORD [RIP+0x8fd17bc]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007746f780 6 bytes {JMP QWORD [RIP+0x8f908b0]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774728e4 6 bytes {JMP QWORD [RIP+0x8e2d74c]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!mouse_event 0000000077473894 6 bytes {JMP QWORD [RIP+0x8c6c79c]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077478a10 6 bytes {JMP QWORD [RIP+0x8ec7620]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077478be0 6 bytes {JMP QWORD [RIP+0x8da7450]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077478c20 6 bytes {JMP QWORD [RIP+0x8c87410]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SendInput 0000000077478cd0 6 bytes {JMP QWORD [RIP+0x8ea7360]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!BlockInput 000000007747ad60 6 bytes {JMP QWORD [RIP+0x8fa52d0]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774a14e0 6 bytes {JMP QWORD [RIP+0x903eb50]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!keybd_event 00000000774c45a4 6 bytes {JMP QWORD [RIP+0x8bfba8c]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000774ccc08 6 bytes {JMP QWORD [RIP+0x8e13428]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000774cdf18 6 bytes {JMP QWORD [RIP+0x8d92118]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\services.exe[780] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89ac550]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes {JMP QWORD [RIP+0x895ec30]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes {JMP QWORD [RIP+0x8edea60]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x8fbe9f0]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes {JMP QWORD [RIP+0x8f7e9b0]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x8fde910]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes {JMP QWORD [RIP+0x8f5e880]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes {JMP QWORD [RIP+0x8e5e840]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e7e7f0]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes {JMP QWORD [RIP+0x8f9e7d0]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x905e5e0]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e3e4d0]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8efe400]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x8ffe2b0]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes {JMP QWORD [RIP+0x903e2a0]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes {JMP QWORD [RIP+0x8f1df30]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x901dea0]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes {JMP QWORD [RIP+0x8f3d630]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8e9d5b0]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes {JMP QWORD [RIP+0x8ebd530]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\lsass.exe[808] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\lsass.exe[808] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[808] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[808] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[808] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda2a1a0 6 bytes {JMP QWORD [RIP+0x295e90]} .text C:\Windows\system32\lsass.exe[808] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda4fa50 6 bytes {JMP QWORD [RIP+0x2905e0]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89ac550]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes {JMP QWORD [RIP+0x895ec30]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes {JMP QWORD [RIP+0x8edea60]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x8fbe9f0]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes {JMP QWORD [RIP+0x8f7e9b0]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x8fde910]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes {JMP QWORD [RIP+0x8f5e880]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes {JMP QWORD [RIP+0x8e5e840]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e7e7f0]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes {JMP QWORD [RIP+0x8f9e7d0]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x905e5e0]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e3e4d0]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8efe400]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x8ffe2b0]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes {JMP QWORD [RIP+0x903e2a0]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes {JMP QWORD [RIP+0x8f1df30]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x901dea0]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes {JMP QWORD [RIP+0x8f3d630]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8e9d5b0]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes {JMP QWORD [RIP+0x8ebd530]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\lsm.exe[816] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\lsm.exe[816] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\lsm.exe[816] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89ac550]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes {JMP QWORD [RIP+0x895ec30]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes {JMP QWORD [RIP+0x8edea60]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x8fbe9f0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes {JMP QWORD [RIP+0x8f7e9b0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x8fde910]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes {JMP QWORD [RIP+0x8f5e880]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes {JMP QWORD [RIP+0x8e5e840]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e7e7f0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes {JMP QWORD [RIP+0x8f9e7d0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x905e5e0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e3e4d0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8efe400]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x8ffe2b0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes {JMP QWORD [RIP+0x903e2a0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes {JMP QWORD [RIP+0x8f1df30]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x901dea0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes {JMP QWORD [RIP+0x8f3d630]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8e9d5b0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes {JMP QWORD [RIP+0x8ebd530]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef26bd0 6 bytes {JMP QWORD [RIP+0x139460]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes JMP 2070 .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89ac550]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes {JMP QWORD [RIP+0x895ec30]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes {JMP QWORD [RIP+0x8edea60]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x8fbe9f0]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes {JMP QWORD [RIP+0x8f7e9b0]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x8fde910]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes {JMP QWORD [RIP+0x8f5e880]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes {JMP QWORD [RIP+0x8e5e840]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e7e7f0]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes {JMP QWORD [RIP+0x8f9e7d0]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x905e5e0]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e3e4d0]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8efe400]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x8ffe2b0]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes {JMP QWORD [RIP+0x903e2a0]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes {JMP QWORD [RIP+0x8f1df30]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x901dea0]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes {JMP QWORD [RIP+0x8f3d630]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8e9d5b0]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes {JMP QWORD [RIP+0x8ebd530]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes CALL 9 .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\nvvsvc.exe[412] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89ac550]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes {JMP QWORD [RIP+0x895ec30]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes {JMP QWORD [RIP+0x8edea60]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x8fbe9f0]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes {JMP QWORD [RIP+0x8f7e9b0]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x8fde910]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes {JMP QWORD [RIP+0x8f5e880]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes {JMP QWORD [RIP+0x8e5e840]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e7e7f0]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes {JMP QWORD [RIP+0x8f9e7d0]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x905e5e0]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e3e4d0]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8efe400]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x8ffe2b0]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes {JMP QWORD [RIP+0x903e2a0]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes {JMP QWORD [RIP+0x8f1df30]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x901dea0]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes {JMP QWORD [RIP+0x8f3d630]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8e9d5b0]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes {JMP QWORD [RIP+0x8ebd530]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef26bd0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes JMP 460020 .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda2a1a0 6 bytes {JMP QWORD [RIP+0x295e90]} .text C:\Windows\system32\svchost.exe[576] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda4fa50 6 bytes JMP 37002d .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89ac550]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes {JMP QWORD [RIP+0x895ec30]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes {JMP QWORD [RIP+0x8edea60]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x8fbe9f0]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes {JMP QWORD [RIP+0x8f7e9b0]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x8fde910]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes {JMP QWORD [RIP+0x8f5e880]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes {JMP QWORD [RIP+0x8e5e840]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e7e7f0]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes {JMP QWORD [RIP+0x8f9e7d0]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x905e5e0]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e3e4d0]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8efe400]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x8ffe2b0]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes {JMP QWORD [RIP+0x903e2a0]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes {JMP QWORD [RIP+0x8f1df30]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x901dea0]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes {JMP QWORD [RIP+0x8f3d630]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8e9d5b0]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes {JMP QWORD [RIP+0x8ebd530]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes JMP 78f87036 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda2a1a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda4fa50 6 bytes JMP 450045 .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89ac550]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes {JMP QWORD [RIP+0x895ec30]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes {JMP QWORD [RIP+0x8edea60]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x8fbe9f0]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes {JMP QWORD [RIP+0x8f7e9b0]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x8fde910]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes {JMP QWORD [RIP+0x8f5e880]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes {JMP QWORD [RIP+0x8e5e840]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e7e7f0]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes {JMP QWORD [RIP+0x8f9e7d0]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x905e5e0]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e3e4d0]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8efe400]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x8ffe2b0]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes {JMP QWORD [RIP+0x903e2a0]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes {JMP QWORD [RIP+0x8f1df30]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x901dea0]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes {JMP QWORD [RIP+0x8f3d630]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8e9d5b0]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes {JMP QWORD [RIP+0x8ebd530]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes CALL 5b000038 .text C:\Windows\System32\svchost.exe[1284] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\System32\svchost.exe[1284] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes JMP 8951ef9 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes JMP 8fca8fca .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes JMP 8edeaa8 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes JMP 8fbe8d8 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes JMP 8d9fcd1 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes JMP 8d9fcd1 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes JMP 90e0680 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes JMP 3a6c0 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes JMP 8e7e838 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes JMP 8f9e500 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes JMP 905fc80 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes JMP 8e3e9d0 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes JMP 180ec0 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes JMP 8ffe288 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes JMP 903e228 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes JMP 1051b1b .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes JMP 8c15fc8 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes JMP 9030891 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes JMP 94b2270 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes JMP 98dc188 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes JMP 8a8e099 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes JMP 77afb61 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes CALL 5b000038 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda2a1a0 6 bytes JMP 295ed0 .text C:\Windows\System32\svchost.exe[1316] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda4fa50 6 bytes JMP 290620 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89ac550]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes {JMP QWORD [RIP+0x895ec30]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes {JMP QWORD [RIP+0x8edea60]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x8fbe9f0]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes {JMP QWORD [RIP+0x8f7e9b0]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x8fde910]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes {JMP QWORD [RIP+0x8f5e880]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes {JMP QWORD [RIP+0x8e5e840]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e7e7f0]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes {JMP QWORD [RIP+0x8f9e7d0]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x905e5e0]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e3e4d0]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8efe400]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x8ffe2b0]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes {JMP QWORD [RIP+0x903e2a0]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes {JMP QWORD [RIP+0x8f1df30]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x901dea0]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes {JMP QWORD [RIP+0x8f3d630]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8e9d5b0]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes {JMP QWORD [RIP+0x8ebd530]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes JMP 670069 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89ac550]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes JMP 39333638 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes {JMP QWORD [RIP+0x8edea60]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x8fbe9f0]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes {JMP QWORD [RIP+0x8f7e9b0]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x8fde910]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes {JMP QWORD [RIP+0x8f5e880]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes {JMP QWORD [RIP+0x8e5e840]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e7e7f0]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes {JMP QWORD [RIP+0x8f9e7d0]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x905e5e0]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e3e4d0]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8efe400]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x8ffe2b0]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes {JMP QWORD [RIP+0x903e2a0]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes {JMP QWORD [RIP+0x8f1df30]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x901dea0]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes {JMP QWORD [RIP+0x8f3d630]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8e9d5b0]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes {JMP QWORD [RIP+0x8ebd530]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes JMP 38454536 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef26bd0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda2a1a0 6 bytes {JMP QWORD [RIP+0x295e90]} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda4fa50 6 bytes {JMP QWORD [RIP+0x2905e0]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89ac550]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes {JMP QWORD [RIP+0x895ec30]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes {JMP QWORD [RIP+0x8edea60]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x8fbe9f0]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes {JMP QWORD [RIP+0x8f7e9b0]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x8fde910]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes {JMP QWORD [RIP+0x8f5e880]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes {JMP QWORD [RIP+0x8e5e840]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e7e7f0]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes {JMP QWORD [RIP+0x8f9e7d0]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x905e5e0]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e3e4d0]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8efe400]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x8ffe2b0]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes {JMP QWORD [RIP+0x903e2a0]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes {JMP QWORD [RIP+0x8f1df30]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x901dea0]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes {JMP QWORD [RIP+0x8f3d630]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8e9d5b0]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes {JMP QWORD [RIP+0x8ebd530]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\System32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\System32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\System32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\System32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\System32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\System32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\System32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\System32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\AUDIODG.EXE[1444] C:\Windows\System32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Program Files\HitmanPro\hmpsched.exe[1580] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes CALL 5b000038 .text C:\Program Files\HitmanPro\hmpsched.exe[1580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\HitmanPro\hmpsched.exe[1580] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Program Files\HitmanPro\hmpsched.exe[1580] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Program Files\HitmanPro\hmpsched.exe[1580] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Program Files\HitmanPro\hmpsched.exe[1580] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Program Files\HitmanPro\hmpsched.exe[1580] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Program Files\HitmanPro\hmpsched.exe[1580] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Program Files\HitmanPro\hmpsched.exe[1580] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Program Files\HitmanPro\hmpsched.exe[1580] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89bc550]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, F9, 63, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000776c1390 6 bytes [48, B8, 79, EC, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000776c1398 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes [48, B8, 79, D0, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776c1408 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, 39, BD, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, 79, BB, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x908e9f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, F9, E8, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x90ae910]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, 39, EE, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8ede7f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes [48, B8, B9, EA, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776c1868 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, B9, F1, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x913e5e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e8e4d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8f7e400]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, 39, E7, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x90ce2b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 39, D2, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x90edea0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776c2640 6 bytes [48, B8, 39, 7E, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776c2648 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, F9, D3, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8efd5b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, F9, EF, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776c2be0 6 bytes [48, B8, F9, E1, 8B, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000776c2be8 4 bytes [00, 00, 50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000777331f1 11 bytes [B8, F9, 7F, 8B, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89bc550]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, F9, 63, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000776c1390 6 bytes [48, B8, 79, EC, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000776c1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes [48, B8, 79, D0, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776c1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, 39, BD, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, 79, BB, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x908e9f0]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, F9, E8, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x90ae910]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, 39, EE, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8ede7f0]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes [48, B8, B9, EA, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776c1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, B9, F1, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x913e5e0]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e8e4d0]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8f7e400]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, 39, E7, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x90ce2b0]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 39, D2, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x90edea0]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776c2640 6 bytes [48, B8, 39, 7E, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776c2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, F9, D3, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8efd5b0]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, F9, EF, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776c2be0 6 bytes [48, B8, F9, E1, 8B, 75] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000776c2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000777331f1 11 bytes [B8, F9, 7F, 8B, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\nvvsvc.exe[1908] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89bc550]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, F9, 63, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000776c1390 6 bytes [48, B8, 79, EC, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000776c1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes [48, B8, 79, D0, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776c1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, 39, BD, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, 79, BB, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x908e9f0]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, F9, E8, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x90ae910]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, 39, EE, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8ede7f0]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes [48, B8, B9, EA, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776c1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, B9, F1, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x913e5e0]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e8e4d0]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8f7e400]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, 39, E7, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x90ce2b0]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 39, D2, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x90edea0]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776c2640 6 bytes [48, B8, 39, 7E, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776c2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, F9, D3, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8efd5b0]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, F9, EF, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776c2be0 6 bytes [48, B8, F9, E1, 8B, 75] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000776c2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000777331f1 11 bytes [B8, F9, 7F, 8B, 75, 00, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes JMP 0 .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes JMP 8f78 .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda2a1a0 6 bytes {JMP QWORD [RIP+0x295e90]} .text C:\Windows\system32\FBAgent.exe[2024] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda4fa50 6 bytes JMP 0 .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89bc550]} .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, F9, 63, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000776c1390 6 bytes [48, B8, 79, EC, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000776c1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes [48, B8, 79, D0, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776c1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, 39, BD, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, 79, BB, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x904e9f0]} .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, F9, E8, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x906e910]} .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, 39, EE, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e9e7f0]} .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes [48, B8, B9, EA, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776c1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, B9, F1, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x90fe5e0]} .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e4e4d0]} .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8f3e400]} .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, 39, E7, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x908e2b0]} .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 39, D2, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x90adea0]} .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776c2640 6 bytes [48, B8, 39, 7E, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776c2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, F9, D3, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8ebd5b0]} .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, F9, EF, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776c2be0 6 bytes [48, B8, F9, E1, 8B, 75] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000776c2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000777331f1 11 bytes [B8, F9, 7F, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007feff69642d 11 bytes [B8, F9, 55, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff696484 12 bytes [48, B8, B9, 50, 8B, 75, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007feff696519 11 bytes [B8, F9, 5C, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff696c34 12 bytes [48, B8, F9, 4E, 8B, 75, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007feff697ab5 11 bytes [B8, B9, 57, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007feff698b01 11 bytes [B8, 79, 52, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007feff698c39 11 bytes [B8, 39, 54, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes JMP 0 .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes JMP 140 .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes JMP 0 .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes JMP 0 .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes JMP 0 .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes JMP 0 .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes JMP 2c .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes JMP 740066 .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff2f13b1 11 bytes [B8, B9, B9, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\WS2_32.dll!closesocket 000007feff2f18e0 12 bytes [48, B8, F9, B7, 8B, 75, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff2f1bd1 11 bytes [B8, 39, B6, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff2f2201 11 bytes [B8, B9, DC, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff2f23c0 12 bytes [48, B8, 39, A1, 8B, 75, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\WS2_32.dll!connect 000007feff2f45c0 12 bytes [48, B8, 39, 62, 8B, 75, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\WS2_32.dll!send + 1 000007feff2f8001 11 bytes [B8, 79, B4, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff2f8df0 7 bytes [48, B8, F9, A2, 8B, 75, 00] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff2f8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff2fde91 11 bytes [B8, B9, D5, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff2fdf41 11 bytes [B8, F9, DA, 8B, 75, 00, 00, ...] .text C:\Windows\system32\WLANExt.exe[2032] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff31e0f1 11 bytes [B8, 39, D9, 8B, 75, 00, 00, ...] .text C:\Windows\system32\conhost.exe[2040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\conhost.exe[2040] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes JMP 7f2e .text C:\Windows\system32\conhost.exe[2040] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\conhost.exe[2040] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\system32\conhost.exe[2040] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\conhost.exe[2040] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\conhost.exe[2040] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\conhost.exe[2040] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\system32\conhost.exe[2040] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[2040] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89bc550]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, F9, 63, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000776c1390 6 bytes [48, B8, 79, EC, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000776c1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes [48, B8, 79, D0, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776c1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, 39, BD, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, 79, BB, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x908e9f0]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, F9, E8, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x90ae910]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, 39, EE, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8ede7f0]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes [48, B8, B9, EA, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776c1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, B9, F1, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x913e5e0]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e8e4d0]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8f7e400]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, 39, E7, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x90ce2b0]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 39, D2, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x90edea0]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776c2640 6 bytes [48, B8, 39, 7E, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776c2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, F9, D3, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8efd5b0]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, F9, EF, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776c2be0 6 bytes [48, B8, F9, E1, 8B, 75] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000776c2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000777331f1 11 bytes [B8, F9, 7F, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89bc550]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, F9, 63, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000776c1390 6 bytes [48, B8, 79, EC, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000776c1398 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes [48, B8, 79, D0, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776c1408 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, 39, BD, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, 79, BB, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x908e9f0]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, F9, E8, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x90ae910]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, 39, EE, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8ede7f0]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes [48, B8, B9, EA, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776c1868 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, B9, F1, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x913e5e0]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e8e4d0]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8f7e400]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, 39, E7, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x90ce2b0]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 39, D2, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x90edea0]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776c2640 6 bytes [48, B8, 39, 7E, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776c2648 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, F9, D3, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8efd5b0]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, F9, EF, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776c2be0 6 bytes [48, B8, F9, E1, 8B, 75] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000776c2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000777331f1 11 bytes [B8, F9, 7F, 8B, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\System32\spoolsv.exe[2056] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89bc550]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, F9, 63, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000776c1390 6 bytes [48, B8, 39, E7, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000776c1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes [48, B8, 79, D0, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776c1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, 39, BD, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, 79, BB, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x906e9f0]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, B9, E3, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x908e910]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, F9, E8, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8ebe7f0]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes [48, B8, 79, E5, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776c1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, 79, EC, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x911e5e0]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e6e4d0]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8f5e400]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, F9, E1, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x90ae2b0]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 39, D2, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x90cdea0]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776c2640 6 bytes [48, B8, 39, 7E, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776c2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, F9, D3, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8edd5b0]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, B9, EA, 8B, 75] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000777331f1 11 bytes [B8, F9, 7F, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefef26bd0 6 bytes {JMP QWORD [RIP+0x139460]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda2a1a0 6 bytes {JMP QWORD [RIP+0x295e90]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda4fa50 6 bytes {JMP QWORD [RIP+0x2905e0]} .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff2f13b1 11 bytes [B8, B9, B9, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!closesocket 000007feff2f18e0 12 bytes [48, B8, F9, B7, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff2f1bd1 11 bytes [B8, 39, B6, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff2f2201 11 bytes [B8, B9, DC, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff2f23c0 12 bytes [48, B8, 39, A1, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!connect 000007feff2f45c0 12 bytes [48, B8, 39, 62, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!send + 1 000007feff2f8001 11 bytes [B8, 79, B4, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff2f8df0 7 bytes [48, B8, F9, A2, 8B, 75, 00] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff2f8df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff2fde91 11 bytes [B8, B9, D5, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff2fdf41 11 bytes [B8, F9, DA, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff31e0f1 11 bytes [B8, 39, D9, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89bc550]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, F9, 63, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000776c1390 6 bytes [48, B8, 79, EC, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000776c1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes [48, B8, 79, D0, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776c1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, 39, BD, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, 79, BB, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x908e9f0]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, F9, E8, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x90ae910]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, 39, EE, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8ede7f0]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes [48, B8, B9, EA, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776c1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, B9, F1, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x913e5e0]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e8e4d0]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8f7e400]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, 39, E7, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x90ce2b0]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 39, D2, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x90edea0]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776c2640 6 bytes [48, B8, 39, 7E, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776c2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, F9, D3, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8efd5b0]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, F9, EF, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776c2be0 6 bytes [48, B8, F9, E1, 8B, 75] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000776c2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000777331f1 11 bytes [B8, F9, 7F, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda2a1a0 6 bytes {JMP QWORD [RIP+0x295e90]} .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda4fa50 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89bc550]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, F9, 63, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000776c1390 6 bytes [48, B8, 79, EC, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000776c1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes [48, B8, 79, D0, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776c1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, 39, BD, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, 79, BB, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x908e9f0]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, F9, E8, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x90ae910]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, 39, EE, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8ede7f0]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes [48, B8, B9, EA, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776c1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, B9, F1, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x913e5e0]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e8e4d0]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8f7e400]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, 39, E7, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x90ce2b0]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 39, D2, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x90edea0]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776c2640 6 bytes [48, B8, 39, 7E, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776c2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, F9, D3, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8efd5b0]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, F9, EF, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776c2be0 6 bytes [48, B8, F9, E1, 8B, 75] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000776c2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000777331f1 11 bytes [B8, F9, 7F, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes JMP 4d68636d .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\taskeng.exe[2204] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89bc550]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, F9, 63, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000776c1390 6 bytes [48, B8, 79, EC, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000776c1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes [48, B8, 79, D0, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776c1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, 39, BD, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, 79, BB, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x908e9f0]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, F9, E8, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x90ae910]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, 39, EE, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8ede7f0]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes [48, B8, B9, EA, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776c1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, B9, F1, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x913e5e0]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e8e4d0]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8f7e400]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, 39, E7, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x90ce2b0]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 39, D2, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x90edea0]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776c2640 6 bytes [48, B8, 39, 7E, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776c2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, F9, D3, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8efd5b0]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, F9, EF, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776c2be0 6 bytes [48, B8, F9, E1, 8B, 75] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000776c2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000777331f1 11 bytes [B8, F9, 7F, 8B, 75, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\system32\Dwm.exe[2128] C:\Windows\system32\d3d11.dll!D3D11CreateDeviceAndSwapChain 000007fef62100f8 12 bytes [48, B8, 39, 8C, 8B, 75, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89ac550]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, B9, 50, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes {JMP QWORD [RIP+0x895ec30]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, B9, 57, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, F9, 55, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x902e9f0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, F9, 71, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x904e910]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, B9, 73, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e8e7f0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes {JMP QWORD [RIP+0x900e7d0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, 39, 77, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x90de5e0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e3e4d0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes JMP 8dcc0000 .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, 39, 70, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x906e2b0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 79, 60, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x908dea0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, 39, 62, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8ead5b0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, 79, 75, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776c2be0 6 bytes [48, B8, 79, 67, 8B, 75] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000776c2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, B9, 65, 8B, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd799aa5 3 bytes CALL 5b000038 .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007feff69642d 11 bytes [B8, 39, 46, 8B, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff696484 12 bytes [48, B8, F9, 40, 8B, 75, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007feff696519 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff696c34 12 bytes [48, B8, 39, 3F, 8B, 75, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007feff697ab5 11 bytes [B8, F9, 47, 8B, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007feff698b01 11 bytes [B8, B9, 42, 8B, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007feff698c39 11 bytes [B8, 79, 44, 8B, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes {JMP QWORD [RIP+0x1bdb70]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes JMP 773d85b1 .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077456ef0 4 bytes JMP 58245c8b .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!RegisterRawInputDevices + 5 0000000077456ef5 1 byte [08] .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077458184 6 bytes {JMP QWORD [RIP+0x9027eac]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SetParent 0000000077458530 6 bytes {JMP QWORD [RIP+0x8f67b00]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!PostMessageA 000000007745a404 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!EnableWindow 000000007745aaa0 6 bytes {JMP QWORD [RIP+0x9065590]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!MoveWindow 000000007745aad0 6 bytes {JMP QWORD [RIP+0x8f85560]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007745c720 6 bytes {JMP QWORD [RIP+0x8f23910]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007745cd50 6 bytes {JMP QWORD [RIP+0x90032e0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007745d2b0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SendMessageA 000000007745d338 6 bytes {JMP QWORD [RIP+0x8d82cf8]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007745dc40 6 bytes {JMP QWORD [RIP+0x8e623f0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007745f510 6 bytes {JMP QWORD [RIP+0x9040b20]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007745f874 6 bytes {JMP QWORD [RIP+0x8cc07bc]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007745fac0 6 bytes {JMP QWORD [RIP+0x8de0570]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077460b74 6 bytes {JMP QWORD [RIP+0x8d5f4bc]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077464d4d 5 bytes {JMP QWORD [RIP+0x8cdb2e4]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!GetKeyState 0000000077465010 6 bytes {JMP QWORD [RIP+0x8efb020]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077465438 6 bytes {JMP QWORD [RIP+0x8e1abf8]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SendMessageW 0000000077466b50 6 bytes {JMP QWORD [RIP+0x8d994e0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!PostMessageW 00000000774676e4 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007746dd90 6 bytes {JMP QWORD [RIP+0x8e922a0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!GetClipboardData 000000007746e874 6 bytes {JMP QWORD [RIP+0x8fd17bc]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007746f780 6 bytes {JMP QWORD [RIP+0x8f908b0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774728e4 6 bytes {JMP QWORD [RIP+0x8e2d74c]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!mouse_event 0000000077473894 6 bytes {JMP QWORD [RIP+0x8c6c79c]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077478a10 6 bytes {JMP QWORD [RIP+0x8ec7620]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077478be0 6 bytes {JMP QWORD [RIP+0x8da7450]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077478c20 6 bytes {JMP QWORD [RIP+0x8c87410]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SendInput 0000000077478cd0 6 bytes {JMP QWORD [RIP+0x8ea7360]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!BlockInput 000000007747ad60 6 bytes {JMP QWORD [RIP+0x8fa52d0]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000774a14e0 6 bytes {JMP QWORD [RIP+0x903eb50]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!keybd_event 00000000774c45a4 6 bytes {JMP QWORD [RIP+0x8bfba8c]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00000000774ccc08 6 bytes {JMP QWORD [RIP+0x8e13428]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00000000774cdf18 6 bytes {JMP QWORD [RIP+0x8d92118]} .text C:\Windows\Explorer.EXE[3164] C:\Windows\system32\WS2_32.dll!connect 000007feff2f45c0 12 bytes [48, B8, F9, 4E, 8B, 75, 00, ...] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007786f908 5 bytes JMP 0000000175026661 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007786f9c0 5 bytes JMP 0000000175025f11 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007786fb08 5 bytes JMP 0000000175025971 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007786fc00 5 bytes JMP 0000000175023061 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007786fc30 5 bytes JMP 00000001750215f1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007786fc60 5 bytes JMP 0000000175021681 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007786fc90 5 bytes JMP 00000001750258e1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007786fd44 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007786fd48 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007786fda8 5 bytes JMP 00000001750265d1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007786fdf4 5 bytes JMP 0000000175022f41 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007786fe24 5 bytes JMP 0000000175023181 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007786fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007786fea4 2 bytes [DD, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007786ff04 5 bytes JMP 00000001750230f1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007786ff84 5 bytes JMP 00000001750266f1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007786ffcc 5 bytes JMP 0000000175022d91 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007786ffe4 5 bytes JMP 0000000175022c71 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077870064 3 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077870068 2 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077870094 5 bytes JMP 0000000175021e61 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778701a4 5 bytes JMP 0000000175022251 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077870398 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007787039c 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077870530 3 bytes JMP 710d000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077870534 2 bytes JMP 710d000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077870674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077870678 2 bytes [F7, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007787077c 5 bytes JMP 0000000175026541 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000778707f4 5 bytes JMP 0000000175022d01 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007787086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077870870 2 bytes [DA, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077870884 5 bytes JMP 0000000175022be1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077870dd4 5 bytes JMP 0000000175025fa1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077870eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077870ebc 2 bytes [D7, 70] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000778715e4 5 bytes JMP 0000000175024651 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077871900 5 bytes JMP 0000000175022fd1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077871bc4 5 bytes JMP 0000000175026031 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077871c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077871c98 2 bytes [02, 71] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077871d6c 5 bytes JMP 0000000175026781 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077871ec8 5 bytes JMP 0000000175026391 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000778888a4 5 bytes JMP 0000000175021a71 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077891217 6 bytes {JMP QWORD [RIP+0x71a6001e]} .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000778b0cfb 5 bytes JMP 0000000175021f81 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000778f857f 5 bytes JMP 00000001750246e1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000778fe81b 5 bytes JMP 0000000175021ef1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768b0e00 5 bytes JMP 0000000175021d41 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000768b103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768b1072 5 bytes JMP 0000000175022911 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768b49bf 5 bytes JMP 0000000175022521 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000768c3bdb 5 bytes JMP 0000000175022eb1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768d7347 5 bytes JMP 0000000175022641 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768d8954 5 bytes JMP 0000000175025e81 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000768dc9b5 6 bytes {JMP QWORD [RIP+0x718d001e]} .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076932c91 5 bytes JMP 00000001750227f1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076956f6b 5 bytes JMP 0000000175024261 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076956f8e 5 bytes JMP 0000000175024381 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076957339 5 bytes JMP 00000001750244a1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769573b2 5 bytes JMP 00000001750245c1 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075301465 2 bytes [30, 75] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753014bb 2 bytes [30, 75] .text ... * 2 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007786f908 5 bytes JMP 0000000175026661 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007786f9c0 5 bytes JMP 0000000175025f11 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007786fb08 5 bytes JMP 0000000175025971 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007786fc00 5 bytes JMP 0000000175023061 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007786fc30 5 bytes JMP 00000001750215f1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007786fc60 5 bytes JMP 0000000175021681 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007786fc90 5 bytes JMP 00000001750258e1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007786fd44 3 bytes JMP 70dd000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007786fd48 2 bytes JMP 70dd000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007786fda8 5 bytes JMP 00000001750265d1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007786fdf4 5 bytes JMP 0000000175022f41 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007786fe24 5 bytes JMP 0000000175023181 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007786fea0 3 bytes JMP 70da000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007786fea4 2 bytes JMP 70da000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007786ff04 5 bytes JMP 00000001750230f1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007786ff84 5 bytes JMP 00000001750266f1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007786ffcc 5 bytes JMP 0000000175022d91 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007786ffe4 5 bytes JMP 0000000175022c71 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077870064 3 bytes JMP 7102000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077870068 2 bytes JMP 7102000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077870094 5 bytes JMP 0000000175021e61 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778701a4 5 bytes JMP 0000000175022251 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077870398 3 bytes JMP 70cd000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007787039c 2 bytes JMP 70cd000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077870530 3 bytes JMP 7109000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077870534 2 bytes JMP 7109000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077870674 3 bytes JMP 70f4000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077870678 2 bytes JMP 70f4000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007787077c 5 bytes JMP 0000000175026541 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000778707f4 5 bytes JMP 0000000175022d01 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007787086c 3 bytes JMP 70d7000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077870870 2 bytes JMP 70d7000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077870884 5 bytes JMP 0000000175022be1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077870dd4 5 bytes JMP 0000000175025fa1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077870eb8 3 bytes JMP 70d4000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077870ebc 2 bytes JMP 70d4000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000778715e4 5 bytes JMP 0000000175024651 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077871900 5 bytes JMP 0000000175022fd1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077871bc4 5 bytes JMP 0000000175026031 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077871c94 3 bytes JMP 70ff000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077871c98 2 bytes JMP 70ff000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077871d6c 5 bytes JMP 0000000175026781 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077871ec8 5 bytes JMP 0000000175026391 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000778888a4 5 bytes JMP 0000000175021a71 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077891217 6 bytes JMP 71a7000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000778b0cfb 5 bytes JMP 0000000175021f81 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000778f857f 5 bytes JMP 00000001750246e1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000778fe81b 5 bytes JMP 0000000175021ef1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768b0e00 5 bytes JMP 0000000175021d41 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000768b103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768b1072 5 bytes JMP 0000000175022911 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768b49bf 5 bytes JMP 0000000175022521 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000768c3bdb 5 bytes JMP 0000000175022eb1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768d7347 5 bytes JMP 0000000175022641 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768d8954 5 bytes JMP 0000000175025e81 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000768dc9b5 6 bytes JMP 718e000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076932c91 5 bytes JMP 00000001750227f1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076956f6b 5 bytes JMP 0000000175024261 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076956f8e 5 bytes JMP 0000000175024381 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076957339 5 bytes JMP 00000001750244a1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769573b2 5 bytes JMP 00000001750245c1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c88f7d 5 bytes JMP 00000001750219e1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c8c428 5 bytes JMP 00000001750237b1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c8ec98 5 bytes JMP 00000001750232a1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c8f1f8 5 bytes JMP 00000001750222e1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c8fa7b 5 bytes JMP 0000000175021dd1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c9134a 5 bytes JMP 0000000175023721 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c91371 5 bytes JMP 0000000175023691 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c91d1b 5 bytes JMP 0000000175021951 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c91e07 5 bytes JMP 0000000175022401 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c92aa4 5 bytes JMP 0000000175025a91 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c91 4 bytes CALL 71ab0000 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c92ccc 5 bytes JMP 0000000175025a01 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c92d0a 5 bytes JMP 0000000175025b21 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c92e6d 5 bytes JMP 00000001750218c1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c93b63 5 bytes JMP 00000001750221c1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c94489 5 bytes JMP 0000000175022371 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c945fb 5 bytes JMP 0000000175023211 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c94624 5 bytes JMP 0000000175022b51 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c9c72c 5 bytes JMP 00000001750226d1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!GetMessageW 00000000757a78e2 5 bytes JMP 0000000175024021 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!GetMessageA 00000000757a7bd3 5 bytes JMP 0000000175023f91 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!CreateWindowExW 00000000757a8a29 5 bytes JMP 00000001750252b1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!PostThreadMessageW 00000000757a8bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SystemParametersInfoW 00000000757a90d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SendMessageW 00000000757a9679 6 bytes JMP 7151000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SendMessageTimeoutW 00000000757a97d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!FindWindowW 00000000757a98fd 5 bytes JMP 0000000175025cd1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!UserClientDllInitialize 00000000757ab6ed 5 bytes JMP 0000000175026811 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!CreateWindowExA 00000000757ad22e 5 bytes JMP 0000000175025341 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SetWinEventHook 00000000757aee09 6 bytes JMP 7165000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!RegisterHotKey 00000000757aefc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!RegisterHotKey + 4 00000000757aefcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!FindWindowA 00000000757affe6 5 bytes JMP 0000000175025bb1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!FindWindowExA 00000000757b00d9 5 bytes JMP 0000000175025c41 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!PeekMessageW 00000000757b05ba 5 bytes JMP 0000000175024141 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!ShowWindow 00000000757b0dfb 5 bytes JMP 00000001750253d1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!PostMessageW 00000000757b12a5 5 bytes JMP 00000001750264b1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SetWindowTextW 00000000757b20ec 5 bytes JMP 0000000175025731 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!GetKeyState 00000000757b291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SetParent 00000000757b2d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SetParent + 4 00000000757b2d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!EnableWindow 00000000757b2da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!MoveWindow 00000000757b3698 3 bytes JMP 7124000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!MoveWindow + 4 00000000757b369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!PostMessageA 00000000757b3baa 5 bytes JMP 0000000175026421 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!PostThreadMessageA 00000000757b3c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!PeekMessageA 00000000757b5f74 5 bytes JMP 00000001750240b1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SendMessageA 00000000757b612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!CallNextHookEx 00000000757b6285 5 bytes JMP 0000000175024771 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SystemParametersInfoA 00000000757b6c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 00000000757b7603 5 bytes JMP 0000000175022ac1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SendNotifyMessageW 00000000757b7668 6 bytes JMP 713f000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SendMessageCallbackW 00000000757b76e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SendMessageTimeoutA 00000000757b781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SetWindowTextA 00000000757b7aee 5 bytes JMP 00000001750256a1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 00000000757b835c 5 bytes JMP 0000000175022a31 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SetClipboardViewer 00000000757bc4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SetClipboardViewer + 4 00000000757bc4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SendDlgItemMessageA 00000000757cc112 6 bytes JMP 713c000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!DialogBoxIndirectParamAorW 00000000757cce54 5 bytes JMP 00000001750254f1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SendDlgItemMessageW 00000000757cd0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!GetAsyncKeyState 00000000757ceb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!GetKeyboardState 00000000757cec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!GetKeyboardState + 4 00000000757cec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!UnhookWindowsHookEx 00000000757cf52b 5 bytes JMP 0000000175024801 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!FindWindowExW 00000000757cf588 5 bytes JMP 0000000175025d61 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SendInput 00000000757cff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SendInput + 4 00000000757cff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!CreateDialogIndirectParamAorW 00000000757d10a0 5 bytes JMP 0000000175025461 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!GetClipboardData 00000000757e9f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!ExitWindowsEx 00000000757f1497 6 bytes JMP 710c000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!MessageBoxExA 00000000757ffcd6 5 bytes JMP 0000000175025581 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!MessageBoxExW 00000000757ffcfa 5 bytes JMP 0000000175025611 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!mouse_event 000000007580027b 6 bytes JMP 7170000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!keybd_event 00000000758002bf 6 bytes JMP 7173000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SendMessageCallbackA 0000000075806cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!SendNotifyMessageA 0000000075806d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!BlockInput 0000000075807dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!BlockInput + 4 0000000075807ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices 00000000758088eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices + 4 00000000758088ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755158b3 6 bytes JMP 7182000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075515ea6 6 bytes JMP 717f000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075517bcc 6 bytes JMP 718b000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007551b895 6 bytes JMP 7176000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007551c332 6 bytes JMP 717c000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007551cbfb 6 bytes JMP 7185000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007551e743 6 bytes JMP 7188000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075544646 6 bytes JMP 7179000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000773f2538 6 bytes JMP 7194000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000773f52e9 6 bytes JMP 7191000a .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 0000000075c70171 5 bytes JMP 0000000175024891 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076a43918 5 bytes JMP 0000000175025851 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076a43cd3 5 bytes JMP 00000001750257c1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\WS2_32.dll!socket 0000000076a43eb8 5 bytes JMP 00000001750260c1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076a44406 5 bytes JMP 00000001750220a1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076a44889 5 bytes JMP 0000000175025191 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\WS2_32.dll!recv 0000000076a46b0e 5 bytes JMP 0000000175026271 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\WS2_32.dll!connect 0000000076a46bdd 1 byte JMP 0000000175023de1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076a46bdf 3 bytes {CALL RCX} .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\WS2_32.dll!send 0000000076a46f01 5 bytes JMP 0000000175022011 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076a47089 5 bytes JMP 0000000175026301 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076a4cc3f 5 bytes JMP 00000001750261e1 .text C:\Program Files (x86)\TimeLeft3\TimeLeft.exe[3844] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076a57673 5 bytes JMP 0000000175025221 .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89bc550]} .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, F9, 63, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000776c1390 6 bytes [48, B8, 79, EC, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000776c1398 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes [48, B8, 79, D0, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776c1408 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, 39, BD, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, 79, BB, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x904e9f0]} .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, F9, E8, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x906e910]} .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, 39, EE, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e9e7f0]} .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes [48, B8, B9, EA, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776c1868 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, B9, F1, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x90fe5e0]} .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e4e4d0]} .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8f3e400]} .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, 39, E7, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x908e2b0]} .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 39, D2, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x90adea0]} .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776c2640 6 bytes [48, B8, 39, 7E, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776c2648 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, F9, D3, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8ebd5b0]} .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, F9, EF, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776c2be0 6 bytes [48, B8, F9, E1, 8B, 75] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000776c2be8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000777331f1 11 bytes [B8, F9, 7F, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007feff69642d 11 bytes [B8, F9, 55, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff696484 12 bytes [48, B8, B9, 50, 8B, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007feff696519 11 bytes [B8, F9, 5C, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff696c34 12 bytes [48, B8, F9, 4E, 8B, 75, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007feff697ab5 11 bytes [B8, B9, 57, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007feff698b01 11 bytes [B8, 79, 52, 8B, 75, 00, 00, ...] .text C:\Windows\system32\SearchIndexer.exe[3900] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007feff698c39 11 bytes [B8, 39, 54, 8B, 75, 00, 00, ...] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007786f908 5 bytes JMP 0000000175026661 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007786f9c0 5 bytes JMP 0000000175025f11 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007786fb08 5 bytes JMP 0000000175025971 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007786fc00 5 bytes JMP 0000000175023061 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007786fc30 5 bytes JMP 00000001750215f1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007786fc60 5 bytes JMP 0000000175021681 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007786fc90 5 bytes JMP 00000001750258e1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007786fd44 3 bytes JMP 70dd000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007786fd48 2 bytes JMP 70dd000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007786fda8 5 bytes JMP 00000001750265d1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007786fdf4 5 bytes JMP 0000000175022f41 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007786fe24 5 bytes JMP 0000000175023181 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007786fea0 3 bytes JMP 70da000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007786fea4 2 bytes JMP 70da000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007786ff04 5 bytes JMP 00000001750230f1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007786ff84 5 bytes JMP 00000001750266f1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007786ffcc 5 bytes JMP 0000000175022d91 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007786ffe4 5 bytes JMP 0000000175022c71 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077870064 3 bytes JMP 7102000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077870068 2 bytes JMP 7102000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077870094 5 bytes JMP 0000000175021e61 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778701a4 5 bytes JMP 0000000175022251 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077870398 3 bytes JMP 70cd000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007787039c 2 bytes JMP 70cd000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077870530 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077870534 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077870674 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077870678 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007787077c 5 bytes JMP 0000000175026541 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000778707f4 5 bytes JMP 0000000175022d01 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007787086c 3 bytes JMP 70d7000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077870870 2 bytes JMP 70d7000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077870884 5 bytes JMP 0000000175022be1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077870dd4 5 bytes JMP 0000000175025fa1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077870eb8 3 bytes JMP 70d4000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077870ebc 2 bytes JMP 70d4000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000778715e4 5 bytes JMP 0000000175024651 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077871900 5 bytes JMP 0000000175022fd1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077871bc4 5 bytes JMP 0000000175026031 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077871c94 3 bytes JMP 70ff000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077871c98 2 bytes JMP 70ff000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077871d6c 5 bytes JMP 0000000175026781 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077871ec8 5 bytes JMP 0000000175026391 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000778888a4 5 bytes JMP 0000000175021a71 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077891217 6 bytes JMP 71a7000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000778b0cfb 5 bytes JMP 0000000175021f81 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000778f857f 5 bytes JMP 00000001750246e1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000778fe81b 5 bytes JMP 0000000175021ef1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768b0e00 5 bytes JMP 0000000175021d41 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000768b103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768b1072 5 bytes JMP 0000000175022911 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768b49bf 5 bytes JMP 0000000175022521 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000768c3bdb 5 bytes JMP 0000000175022eb1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768d7347 5 bytes JMP 0000000175022641 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768d8954 5 bytes JMP 0000000175025e81 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000768dc9b5 6 bytes JMP 718e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076932c91 5 bytes JMP 00000001750227f1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076956f6b 5 bytes JMP 0000000175024261 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076956f8e 5 bytes JMP 0000000175024381 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076957339 5 bytes JMP 00000001750244a1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769573b2 5 bytes JMP 00000001750245c1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c88f7d 5 bytes JMP 00000001750219e1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c8c428 5 bytes JMP 00000001750237b1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c8ec98 5 bytes JMP 00000001750232a1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c8f1f8 5 bytes JMP 00000001750222e1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c8fa7b 5 bytes JMP 0000000175021dd1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c9134a 5 bytes JMP 0000000175023721 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c91371 5 bytes JMP 0000000175023691 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c91d1b 5 bytes JMP 0000000175021951 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c91e07 5 bytes JMP 0000000175022401 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c92aa4 5 bytes JMP 0000000175025a91 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c91 4 bytes CALL 71ab0000 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c92ccc 5 bytes JMP 0000000175025a01 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c92d0a 5 bytes JMP 0000000175025b21 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c92e6d 5 bytes JMP 00000001750218c1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c93b63 5 bytes JMP 00000001750221c1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c94489 5 bytes JMP 0000000175022371 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c945fb 5 bytes JMP 0000000175023211 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c94624 5 bytes JMP 0000000175022b51 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c9c72c 5 bytes JMP 00000001750226d1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000757a78e2 5 bytes JMP 0000000175024021 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000757a7bd3 5 bytes JMP 0000000175023f91 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000757a8a29 5 bytes JMP 00000001750252b1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757a8bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757a90d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757a9679 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757a97d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000757a98fd 5 bytes JMP 0000000175025cd1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000757ab6ed 5 bytes JMP 0000000175026811 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000757ad22e 5 bytes JMP 0000000175025341 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757aee09 6 bytes JMP 7165000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757aefc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757aefcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000757affe6 5 bytes JMP 0000000175025bb1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000757b00d9 5 bytes JMP 0000000175025c41 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000757b05ba 5 bytes JMP 0000000175024141 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000757b0dfb 5 bytes JMP 00000001750253d1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757b12a5 5 bytes JMP 00000001750264b1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000757b20ec 5 bytes JMP 0000000175025731 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757b291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SetParent 00000000757b2d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757b2d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757b2da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757b3698 3 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757b369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757b3baa 5 bytes JMP 0000000175026421 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757b3c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000757b5f74 5 bytes JMP 00000001750240b1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757b612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000757b6285 5 bytes JMP 0000000175024771 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757b6c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757b7603 5 bytes JMP 0000000175022ac1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757b7668 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757b76e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757b781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000757b7aee 5 bytes JMP 00000001750256a1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757b835c 5 bytes JMP 0000000175022a31 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757bc4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757bc4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757cc112 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000757cce54 5 bytes JMP 00000001750254f1 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757cd0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757ceb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757cec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757cec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757cf52b 5 bytes JMP 0000000175024801 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000757cf588 5 bytes JMP 0000000175025d61 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SendInput 00000000757cff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757cff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000757d10a0 5 bytes JMP 0000000175025461 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757e9f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757f1497 6 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000757ffcd6 5 bytes JMP 0000000175025581 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000757ffcfa 5 bytes JMP 0000000175025611 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!mouse_event 000000007580027b 6 bytes JMP 7170000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758002bf 6 bytes JMP 7173000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075806cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075806d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075807dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075807ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758088eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758088ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755158b3 6 bytes JMP 7182000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075515ea6 6 bytes JMP 717f000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075517bcc 6 bytes JMP 718b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007551b895 6 bytes JMP 7176000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007551c332 6 bytes JMP 717c000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007551cbfb 6 bytes JMP 7185000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007551e743 6 bytes JMP 7188000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075544646 6 bytes JMP 7179000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000773f2538 6 bytes JMP 7194000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[1472] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000773f52e9 6 bytes JMP 7191000a .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89bc550]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, F9, 63, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000776c1390 6 bytes [48, B8, 79, EC, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000776c1398 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes [48, B8, 79, D0, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776c1408 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, 39, BD, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, 79, BB, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x904e9f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, F9, E8, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x906e910]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, 39, EE, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8e9e7f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes [48, B8, B9, EA, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776c1868 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, B9, F1, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x90fe5e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e4e4d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8f3e400]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, 39, E7, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x908e2b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 39, D2, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x90adea0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776c2640 6 bytes [48, B8, 39, 7E, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776c2648 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, F9, D3, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8ebd5b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, F9, EF, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776c2be0 6 bytes [48, B8, F9, E1, 8B, 75] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000776c2be8 4 bytes [00, 00, 50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000777331f1 11 bytes [B8, F9, 7F, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007feff69642d 11 bytes [B8, F9, 55, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff696484 12 bytes [48, B8, B9, 50, 8B, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007feff696519 11 bytes [B8, F9, 5C, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff696c34 12 bytes [48, B8, F9, 4E, 8B, 75, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007feff697ab5 11 bytes [B8, B9, 57, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007feff698b01 11 bytes [B8, 79, 52, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007feff698c39 11 bytes [B8, 39, 54, 8B, 75, 00, 00, ...] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes JMP 0 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007786f908 5 bytes JMP 0000000175026661 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007786f9c0 5 bytes JMP 0000000175025f11 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007786fb08 5 bytes JMP 0000000175025971 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007786fc00 5 bytes JMP 0000000175023061 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007786fc30 5 bytes JMP 00000001750215f1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007786fc60 5 bytes JMP 0000000175021681 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007786fc90 5 bytes JMP 00000001750258e1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007786fd44 3 bytes JMP 70db000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007786fd48 2 bytes JMP 70db000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007786fda8 5 bytes JMP 00000001750265d1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007786fdf4 5 bytes JMP 0000000175022f41 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007786fe24 5 bytes JMP 0000000175023181 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007786fea0 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007786fea4 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007786ff04 5 bytes JMP 00000001750230f1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007786ff84 5 bytes JMP 00000001750266f1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007786ffcc 5 bytes JMP 0000000175022d91 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007786ffe4 5 bytes JMP 0000000175022c71 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077870064 3 bytes JMP 7100000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077870068 2 bytes JMP 7100000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077870094 5 bytes JMP 0000000175021e61 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778701a4 5 bytes JMP 0000000175022251 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077870398 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007787039c 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077870530 3 bytes JMP 7107000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077870534 2 bytes JMP 7107000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077870674 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077870678 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007787077c 5 bytes JMP 0000000175026541 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000778707f4 5 bytes JMP 0000000175022d01 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007787086c 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077870870 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077870884 5 bytes JMP 0000000175022be1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077870dd4 5 bytes JMP 0000000175025fa1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077870eb8 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077870ebc 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000778715e4 5 bytes JMP 0000000175024651 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077871900 5 bytes JMP 0000000175022fd1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077871bc4 5 bytes JMP 0000000175026031 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077871c94 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077871c98 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077871d6c 5 bytes JMP 0000000175026781 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077871ec8 5 bytes JMP 0000000175026391 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000778888a4 5 bytes JMP 0000000175021a71 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077891217 6 bytes JMP 71a7000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000778b0cfb 5 bytes JMP 0000000175021f81 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000778f857f 5 bytes JMP 00000001750246e1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000778fe81b 5 bytes JMP 0000000175021ef1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768b0e00 5 bytes JMP 0000000175021d41 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000768b103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768b1072 5 bytes JMP 0000000175022911 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768b49bf 5 bytes JMP 0000000175022521 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000768c3bdb 5 bytes JMP 0000000175022eb1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768d7347 5 bytes JMP 0000000175022641 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768d8954 5 bytes JMP 0000000175025e81 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000768dc9b5 6 bytes JMP 718e000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076932c91 5 bytes JMP 00000001750227f1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076956f6b 5 bytes JMP 0000000175024261 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076956f8e 5 bytes JMP 0000000175024381 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076957339 5 bytes JMP 00000001750244a1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769573b2 5 bytes JMP 00000001750245c1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c88f7d 5 bytes JMP 00000001750219e1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c8c428 5 bytes JMP 00000001750237b1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c8ec98 5 bytes JMP 00000001750232a1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c8f1f8 5 bytes JMP 00000001750222e1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c8fa7b 5 bytes JMP 0000000175021dd1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c9134a 5 bytes JMP 0000000175023721 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c91371 5 bytes JMP 0000000175023691 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c91d1b 5 bytes JMP 0000000175021951 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c91e07 5 bytes JMP 0000000175022401 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c92aa4 5 bytes JMP 0000000175025a91 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c91 4 bytes CALL 71ab0000 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c92ccc 5 bytes JMP 0000000175025a01 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c92d0a 5 bytes JMP 0000000175025b21 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c92e6d 5 bytes JMP 00000001750218c1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c93b63 5 bytes JMP 00000001750221c1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c94489 5 bytes JMP 0000000175022371 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c945fb 5 bytes JMP 0000000175023211 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c94624 5 bytes JMP 0000000175022b51 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c9c72c 5 bytes JMP 00000001750226d1 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076cda472 5 bytes JMP 0000000175026811 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076ce27ce 5 bytes JMP 0000000175021b91 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076cee6cf 5 bytes JMP 0000000175021b01 .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755158b3 6 bytes JMP 717c000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075515ea6 6 bytes JMP 7179000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075517bcc 6 bytes JMP 718b000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007551b895 6 bytes JMP 7170000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007551c332 6 bytes JMP 7176000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007551cbfb 6 bytes JMP 7185000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007551e743 6 bytes JMP 7188000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075544646 6 bytes JMP 7173000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757a8bff 6 bytes JMP 7155000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757a90d3 6 bytes JMP 7110000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757a9679 6 bytes JMP 714f000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757a97d2 6 bytes JMP 7149000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757aee09 6 bytes JMP 7161000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757aefc9 3 bytes JMP 7116000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757aefcd 2 bytes JMP 7116000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757b12a5 6 bytes JMP 715b000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757b291f 6 bytes JMP 712e000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SetParent 00000000757b2d64 3 bytes JMP 7125000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757b2d68 2 bytes JMP 7125000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757b2da4 6 bytes JMP 710d000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757b3698 3 bytes JMP 7122000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757b369c 2 bytes JMP 7122000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757b3baa 6 bytes JMP 715e000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757b3c61 6 bytes JMP 7158000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757b612e 6 bytes JMP 7152000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757b6c30 6 bytes JMP 7113000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757b7603 6 bytes JMP 7164000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757b7668 6 bytes JMP 713d000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757b76e0 6 bytes JMP 7143000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757b781f 6 bytes JMP 714c000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757b835c 6 bytes JMP 7167000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757bc4b6 3 bytes JMP 711f000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757bc4ba 2 bytes JMP 711f000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757cc112 6 bytes JMP 713a000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757cd0f5 6 bytes JMP 7137000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757ceb96 6 bytes JMP 712b000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757cec68 3 bytes JMP 7131000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757cec6c 2 bytes JMP 7131000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SendInput 00000000757cff4a 3 bytes JMP 7134000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757cff4e 2 bytes JMP 7134000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757e9f1d 6 bytes JMP 7119000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757f1497 6 bytes JMP 710a000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!mouse_event 000000007580027b 6 bytes JMP 716a000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758002bf 6 bytes JMP 716d000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075806cfc 6 bytes JMP 7146000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075806d5d 6 bytes JMP 7140000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075807dd7 3 bytes JMP 711c000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075807ddb 2 bytes JMP 711c000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758088eb 3 bytes JMP 7128000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758088ef 2 bytes JMP 7128000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000773f2538 6 bytes JMP 7194000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000773f52e9 6 bytes JMP 7191000a .text C:\Program Files (x86)\Wise\Wise Folder Hider\WiseFolderHider.exe[732] C:\Windows\syswow64\shell32.dll!Shell_NotifyIconW 0000000075c70171 5 bytes JMP 0000000175024891 .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007786f9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007786f9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007786fc90 3 bytes JMP 7100000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007786fc94 2 bytes JMP 7100000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007786fd44 3 bytes JMP 70eb000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007786fd48 2 bytes JMP 70eb000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007786fda8 3 bytes JMP 70f1000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007786fdac 2 bytes JMP 70f1000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007786fea0 3 bytes JMP 70e8000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007786fea4 2 bytes JMP 70e8000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007786ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007786ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007786ffe4 3 bytes JMP 710c000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007786ffe8 2 bytes JMP 710c000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077870064 3 bytes JMP 7109000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077870068 2 bytes JMP 7109000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077870094 3 bytes JMP 70ee000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077870098 2 bytes JMP 70ee000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077870398 3 bytes JMP 70dc000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007787039c 2 bytes JMP 70dc000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077870530 3 bytes JMP 710f000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077870534 2 bytes JMP 710f000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077870674 3 bytes JMP 70fd000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077870678 2 bytes JMP 70fd000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007787086c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077870870 2 bytes JMP 70e5000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077870884 3 bytes JMP 70df000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077870888 2 bytes JMP 70df000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077870dd4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077870dd8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077870eb8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077870ebc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077871bc4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077871bc8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077871c94 3 bytes JMP 7106000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077871c98 2 bytes JMP 7106000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077871d6c 3 bytes JMP 7103000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077871d70 2 bytes JMP 7103000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077891217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000768b103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768b1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000768dc9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000773f2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000773f52e9 6 bytes JMP 7193000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755158b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075515ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075517bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007551b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007551c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007551cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007551e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075544646 6 bytes JMP 717b000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757a8bff 6 bytes JMP 715d000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757a90d3 6 bytes JMP 7118000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757a9679 6 bytes JMP 7157000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757a97d2 6 bytes JMP 7151000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757aee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757aefc9 3 bytes JMP 711e000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757aefcd 2 bytes JMP 711e000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757b12a5 6 bytes JMP 7163000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757b291f 6 bytes JMP 7136000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SetParent 00000000757b2d64 3 bytes JMP 712d000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757b2d68 2 bytes JMP 712d000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757b2da4 6 bytes JMP 7115000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757b3698 3 bytes JMP 712a000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757b369c 2 bytes JMP 712a000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757b3baa 6 bytes JMP 7166000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757b3c61 6 bytes JMP 7160000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757b612e 6 bytes JMP 715a000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757b6c30 6 bytes JMP 711b000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757b7603 6 bytes JMP 716c000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757b7668 6 bytes JMP 7145000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757b76e0 6 bytes JMP 714b000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757b781f 6 bytes JMP 7154000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757b835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757bc4b6 3 bytes JMP 7127000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757bc4ba 2 bytes JMP 7127000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757cc112 6 bytes JMP 7142000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757cd0f5 6 bytes JMP 713f000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757ceb96 6 bytes JMP 7133000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757cec68 3 bytes JMP 7139000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757cec6c 2 bytes JMP 7139000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SendInput 00000000757cff4a 3 bytes JMP 713c000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757cff4e 2 bytes JMP 713c000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757e9f1d 6 bytes JMP 7121000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757f1497 6 bytes JMP 7112000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!mouse_event 000000007580027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758002bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075806cfc 6 bytes JMP 714e000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075806d5d 6 bytes JMP 7148000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075807dd7 3 bytes JMP 7124000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075807ddb 2 bytes JMP 7124000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758088eb 3 bytes JMP 7130000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758088ef 2 bytes JMP 7130000a .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075301465 2 bytes [30, 75] .text C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[2280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753014bb 2 bytes [30, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes JMP aab .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes JMP 0 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007786f908 5 bytes JMP 0000000175026661 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007786f9c0 5 bytes JMP 0000000175025f11 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007786fb08 5 bytes JMP 0000000175025971 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007786fc00 5 bytes JMP 0000000175023061 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007786fc30 5 bytes JMP 00000001750215f1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007786fc60 5 bytes JMP 0000000175021681 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007786fc90 5 bytes JMP 00000001750258e1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007786fd44 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007786fd48 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007786fda8 5 bytes JMP 00000001750265d1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007786fdf4 5 bytes JMP 0000000175022f41 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007786fe24 5 bytes JMP 0000000175023181 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007786fea0 3 bytes JMP 70de000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007786fea4 2 bytes JMP 70de000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007786ff04 5 bytes JMP 00000001750230f1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007786ff84 5 bytes JMP 00000001750266f1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007786ffcc 5 bytes JMP 0000000175022d91 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007786ffe4 5 bytes JMP 0000000175022c71 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077870064 3 bytes JMP 7106000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077870068 2 bytes JMP 7106000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077870094 5 bytes JMP 0000000175021e61 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778701a4 5 bytes JMP 0000000175022251 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077870398 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007787039c 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077870530 3 bytes JMP 710d000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077870534 2 bytes JMP 710d000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077870674 3 bytes JMP 70f8000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077870678 2 bytes JMP 70f8000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007787077c 5 bytes JMP 0000000175026541 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000778707f4 5 bytes JMP 0000000175022d01 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007787086c 3 bytes JMP 70db000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077870870 2 bytes JMP 70db000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077870884 5 bytes JMP 0000000175022be1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077870dd4 5 bytes JMP 0000000175025fa1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077870eb8 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077870ebc 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000778715e4 5 bytes JMP 0000000175024651 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077871900 5 bytes JMP 0000000175022fd1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077871bc4 5 bytes JMP 0000000175026031 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077871c94 3 bytes JMP 7103000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077871c98 2 bytes JMP 7103000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077871d6c 5 bytes JMP 0000000175026781 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077871ec8 5 bytes JMP 0000000175026391 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000778888a4 5 bytes JMP 0000000175021a71 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077891217 6 bytes JMP 71a7000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000778b0cfb 5 bytes JMP 0000000175021f81 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000778f857f 5 bytes JMP 00000001750246e1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000778fe81b 5 bytes JMP 0000000175021ef1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768b0e00 5 bytes JMP 0000000175021d41 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000768b103d 6 bytes JMP 719b000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768b1072 5 bytes JMP 0000000175022911 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768b49bf 5 bytes JMP 0000000175022521 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000768c3bdb 5 bytes JMP 0000000175022eb1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768d7347 5 bytes JMP 0000000175022641 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768d8954 5 bytes JMP 0000000175025e81 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000768dc9b5 6 bytes JMP 718e000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076932c91 5 bytes JMP 00000001750227f1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076956f6b 5 bytes JMP 0000000175024261 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076956f8e 5 bytes JMP 0000000175024381 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076957339 5 bytes JMP 00000001750244a1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769573b2 5 bytes JMP 00000001750245c1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c88f7d 5 bytes JMP 00000001750219e1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c8c428 5 bytes JMP 00000001750237b1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c8ec98 5 bytes JMP 00000001750232a1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c8f1f8 5 bytes JMP 00000001750222e1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f776 6 bytes JMP 719e000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c8fa7b 5 bytes JMP 0000000175021dd1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c9134a 5 bytes JMP 0000000175023721 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c91371 5 bytes JMP 0000000175023691 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c91d1b 5 bytes JMP 0000000175021951 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c91e07 5 bytes JMP 0000000175022401 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c92aa4 5 bytes JMP 0000000175025a91 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c91 4 bytes CALL 71ab0000 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c92ccc 5 bytes JMP 0000000175025a01 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c92d0a 5 bytes JMP 0000000175025b21 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c92e6d 5 bytes JMP 00000001750218c1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c93b63 5 bytes JMP 00000001750221c1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c94489 5 bytes JMP 0000000175022371 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c945fb 5 bytes JMP 0000000175023211 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c94624 5 bytes JMP 0000000175022b51 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c9c72c 5 bytes JMP 00000001750226d1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076cda472 5 bytes JMP 0000000175026811 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076ce27ce 5 bytes JMP 0000000175021b91 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076cee6cf 5 bytes JMP 0000000175021b01 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755158b3 6 bytes JMP 7182000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075515ea6 6 bytes JMP 717f000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075517bcc 6 bytes JMP 718b000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007551b895 6 bytes JMP 7176000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007551c332 6 bytes JMP 717c000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007551cbfb 6 bytes JMP 7185000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007551e743 6 bytes JMP 7188000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075544646 6 bytes JMP 7179000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757a8bff 6 bytes JMP 715b000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757a90d3 6 bytes JMP 7116000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757a9679 6 bytes JMP 7155000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757a97d2 6 bytes JMP 714f000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757aee09 6 bytes JMP 7167000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757aefc9 3 bytes JMP 711c000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757aefcd 2 bytes JMP 711c000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757b12a5 6 bytes JMP 7161000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757b291f 6 bytes JMP 7134000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SetParent 00000000757b2d64 3 bytes JMP 712b000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757b2d68 2 bytes JMP 712b000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757b2da4 6 bytes JMP 7113000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757b3698 3 bytes JMP 7128000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757b369c 2 bytes JMP 7128000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757b3baa 6 bytes JMP 7164000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757b3c61 6 bytes JMP 715e000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757b612e 6 bytes JMP 7158000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757b6c30 6 bytes JMP 7119000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757b7603 6 bytes JMP 716a000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757b7668 6 bytes JMP 7143000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757b76e0 6 bytes JMP 7149000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757b781f 6 bytes JMP 7152000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757b835c 6 bytes JMP 716d000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757bc4b6 3 bytes JMP 7125000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757bc4ba 2 bytes JMP 7125000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757cc112 6 bytes JMP 7140000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757cd0f5 6 bytes JMP 713d000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757ceb96 6 bytes JMP 7131000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757cec68 3 bytes JMP 7137000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757cec6c 2 bytes JMP 7137000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SendInput 00000000757cff4a 3 bytes JMP 713a000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757cff4e 2 bytes JMP 713a000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757e9f1d 6 bytes JMP 711f000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757f1497 6 bytes JMP 7110000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!mouse_event 000000007580027b 6 bytes JMP 7170000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758002bf 6 bytes JMP 7173000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075806cfc 6 bytes JMP 714c000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075806d5d 6 bytes JMP 7146000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075807dd7 3 bytes JMP 7122000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075807ddb 2 bytes JMP 7122000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758088eb 3 bytes JMP 712e000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758088ef 2 bytes JMP 712e000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000773f2538 6 bytes JMP 7194000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000773f52e9 6 bytes JMP 7191000a .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\WS2_32.DLL!closesocket 0000000076a43918 5 bytes JMP 0000000175025851 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\WS2_32.DLL!WSASocketW 0000000076a43cd3 5 bytes JMP 00000001750257c1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\WS2_32.DLL!socket 0000000076a43eb8 5 bytes JMP 00000001750260c1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\WS2_32.DLL!WSASend 0000000076a44406 5 bytes JMP 00000001750220a1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\WS2_32.DLL!GetAddrInfoW 0000000076a44889 5 bytes JMP 0000000175025191 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\WS2_32.DLL!recv 0000000076a46b0e 5 bytes JMP 0000000175026271 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\WS2_32.DLL!connect 0000000076a46bdd 1 byte JMP 0000000175023de1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\WS2_32.DLL!connect + 2 0000000076a46bdf 3 bytes {CALL RCX} .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\WS2_32.DLL!send 0000000076a46f01 5 bytes JMP 0000000175022011 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\WS2_32.DLL!WSARecv 0000000076a47089 5 bytes JMP 0000000175026301 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\WS2_32.DLL!WSAConnect 0000000076a4cc3f 5 bytes JMP 00000001750261e1 .text C:\Program Files (x86)\Notepad++\notepad++.exe[2744] C:\Windows\syswow64\WS2_32.DLL!gethostbyname 0000000076a57673 5 bytes JMP 0000000175025221 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 000000007786f8d0 5 bytes JMP 00000001750260c1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007786f908 5 bytes JMP 00000001750266f1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007786f9c0 5 bytes JMP 0000000175025f11 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007786fb08 5 bytes JMP 0000000175025971 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007786fc00 5 bytes JMP 0000000175023061 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007786fc30 5 bytes JMP 00000001750215f1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007786fc60 5 bytes JMP 0000000175021681 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007786fc90 5 bytes JMP 00000001750258e1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007786fd44 3 bytes JMP 70dd000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007786fd48 2 bytes JMP 70dd000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007786fda8 5 bytes JMP 0000000175026661 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007786fdf4 5 bytes JMP 0000000175022f41 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007786fe24 5 bytes JMP 0000000175023181 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007786fea0 3 bytes JMP 70da000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007786fea4 2 bytes JMP 70da000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007786ff04 5 bytes JMP 00000001750230f1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007786ff84 5 bytes JMP 0000000175026781 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007786ffcc 5 bytes JMP 0000000175022d91 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007786ffe4 5 bytes JMP 0000000175022c71 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077870064 3 bytes JMP 7102000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077870068 2 bytes JMP 7102000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077870094 5 bytes JMP 0000000175021e61 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778701a4 5 bytes JMP 0000000175022251 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077870398 3 bytes JMP 70cd000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007787039c 2 bytes JMP 70cd000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077870530 3 bytes JMP 7109000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077870534 2 bytes JMP 7109000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077870674 3 bytes JMP 70f4000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077870678 2 bytes JMP 70f4000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007787077c 5 bytes JMP 00000001750265d1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000778707f4 5 bytes JMP 0000000175022d01 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007787086c 3 bytes JMP 70d7000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077870870 2 bytes JMP 70d7000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077870884 5 bytes JMP 0000000175022be1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077870dd4 5 bytes JMP 0000000175025fa1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077870eb8 3 bytes JMP 70d4000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077870ebc 2 bytes JMP 70d4000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000778715e4 5 bytes JMP 0000000175024651 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077871900 5 bytes JMP 0000000175022fd1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077871bc4 5 bytes JMP 0000000175026031 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077871c94 3 bytes JMP 70ff000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077871c98 2 bytes JMP 70ff000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077871d6c 5 bytes JMP 0000000175026811 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077871ec8 5 bytes JMP 0000000175026421 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000778888a4 5 bytes JMP 0000000175021a71 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077891217 6 bytes JMP 71a7000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000778b0cfb 5 bytes JMP 0000000175021f81 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000778f857f 5 bytes JMP 00000001750246e1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000778fe81b 5 bytes JMP 0000000175021ef1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768b0e00 5 bytes JMP 0000000175021d41 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000768b103d 6 bytes JMP 719b000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768b1072 5 bytes JMP 0000000175022911 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768b49bf 5 bytes JMP 0000000175022521 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000768c3bdb 5 bytes JMP 0000000175022eb1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768d7347 5 bytes JMP 0000000175022641 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768d8954 5 bytes JMP 0000000175025e81 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000768dc9b5 6 bytes JMP 718e000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076932c91 5 bytes JMP 00000001750227f1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076956f6b 5 bytes JMP 0000000175024261 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076956f8e 5 bytes JMP 0000000175024381 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076957339 5 bytes JMP 00000001750244a1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769573b2 5 bytes JMP 00000001750245c1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c88f7d 5 bytes JMP 00000001750219e1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c8c428 5 bytes JMP 00000001750237b1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c8ec98 5 bytes JMP 00000001750232a1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c8f1f8 5 bytes JMP 00000001750222e1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f776 6 bytes JMP 719e000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c8fa7b 5 bytes JMP 0000000175021dd1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c9134a 5 bytes JMP 0000000175023721 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c91371 5 bytes JMP 0000000175023691 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c91d1b 5 bytes JMP 0000000175021951 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c91e07 5 bytes JMP 0000000175022401 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c92aa4 5 bytes JMP 0000000175025a91 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c91 4 bytes CALL 71ab0000 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c92ccc 5 bytes JMP 0000000175025a01 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c92d0a 5 bytes JMP 0000000175025b21 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c92e6d 5 bytes JMP 00000001750218c1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c93b63 5 bytes JMP 00000001750221c1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c94489 5 bytes JMP 0000000175022371 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c945fb 5 bytes JMP 0000000175023211 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c94624 5 bytes JMP 0000000175022b51 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c9c72c 5 bytes JMP 00000001750226d1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755158b3 6 bytes JMP 7182000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075515ea6 6 bytes JMP 717f000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075517bcc 6 bytes JMP 718b000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007551b895 6 bytes JMP 7176000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007551c332 6 bytes JMP 717c000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007551cbfb 6 bytes JMP 7185000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007551e743 6 bytes JMP 7188000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075544646 6 bytes JMP 7179000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000757a78e2 5 bytes JMP 0000000175024021 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000757a7bd3 5 bytes JMP 0000000175023f91 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000757a8a29 5 bytes JMP 00000001750252b1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757a8bff 6 bytes JMP 7157000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757a90d3 6 bytes JMP 7112000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757a9679 6 bytes JMP 7151000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757a97d2 6 bytes JMP 714b000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000757a98fd 5 bytes JMP 0000000175025cd1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000757ab6ed 5 bytes JMP 00000001750268a1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000757ad22e 5 bytes JMP 0000000175025341 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757aee09 6 bytes JMP 7165000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757aefc9 3 bytes JMP 7118000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757aefcd 2 bytes JMP 7118000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000757affe6 5 bytes JMP 0000000175025bb1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000757b00d9 5 bytes JMP 0000000175025c41 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000757b05ba 5 bytes JMP 0000000175024141 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000757b0dfb 5 bytes JMP 00000001750253d1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757b12a5 5 bytes JMP 0000000175026541 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000757b20ec 5 bytes JMP 0000000175025731 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757b291f 6 bytes JMP 7130000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SetParent 00000000757b2d64 3 bytes JMP 7127000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757b2d68 2 bytes JMP 7127000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757b2da4 6 bytes JMP 710f000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757b3698 3 bytes JMP 7124000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757b369c 2 bytes JMP 7124000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757b3baa 5 bytes JMP 00000001750264b1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757b3c61 6 bytes JMP 715a000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000757b5f74 5 bytes JMP 00000001750240b1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757b612e 6 bytes JMP 7154000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000757b6285 5 bytes JMP 0000000175024771 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757b6c30 6 bytes JMP 7115000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757b7603 5 bytes JMP 0000000175022ac1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757b7668 6 bytes JMP 713f000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757b76e0 6 bytes JMP 7145000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757b781f 6 bytes JMP 714e000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000757b7aee 5 bytes JMP 00000001750256a1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757b835c 5 bytes JMP 0000000175022a31 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757bc4b6 3 bytes JMP 7121000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757bc4ba 2 bytes JMP 7121000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757cc112 6 bytes JMP 713c000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000757cce54 5 bytes JMP 00000001750254f1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757cd0f5 6 bytes JMP 7139000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757ceb96 6 bytes JMP 712d000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757cec68 3 bytes JMP 7133000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757cec6c 2 bytes JMP 7133000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757cf52b 5 bytes JMP 0000000175024801 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000757cf588 5 bytes JMP 0000000175025d61 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SendInput 00000000757cff4a 3 bytes JMP 7136000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757cff4e 2 bytes JMP 7136000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000757d10a0 5 bytes JMP 0000000175025461 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757e9f1d 6 bytes JMP 711b000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757f1497 6 bytes JMP 710c000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000757ffcd6 5 bytes JMP 0000000175025581 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000757ffcfa 5 bytes JMP 0000000175025611 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!mouse_event 000000007580027b 6 bytes JMP 7170000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758002bf 6 bytes JMP 7173000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075806cfc 6 bytes JMP 7148000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075806d5d 6 bytes JMP 7142000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075807dd7 3 bytes JMP 711e000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075807ddb 2 bytes JMP 711e000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758088eb 3 bytes JMP 712a000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758088ef 2 bytes JMP 712a000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000773bca4c 5 bytes JMP 00000001750238d1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000773c2bf0 5 bytes JMP 0000000175023841 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000773c369c 5 bytes JMP 0000000175023cc1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000773c49e5 5 bytes JMP 0000000175026931 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000773d712c 5 bytes JMP 0000000175023f01 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000773d7144 5 bytes JMP 0000000175023a81 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000773d715c 5 bytes JMP 0000000175023b11 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000773f2538 6 bytes JMP 7194000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000773f30e8 5 bytes JMP 0000000175023ba1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000773f30f8 5 bytes JMP 0000000175023c31 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000773f3108 5 bytes JMP 0000000175023961 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000773f3118 5 bytes JMP 00000001750239f1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000773f3158 5 bytes JMP 0000000175023e71 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000773f52e9 6 bytes JMP 7191000a .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076a43918 5 bytes JMP 0000000175025851 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076a43cd3 5 bytes JMP 00000001750257c1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\WS2_32.dll!socket 0000000076a43eb8 5 bytes JMP 0000000175026151 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076a44406 5 bytes JMP 00000001750220a1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076a44889 5 bytes JMP 0000000175025191 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\WS2_32.dll!recv 0000000076a46b0e 5 bytes JMP 0000000175026301 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\WS2_32.dll!connect 0000000076a46bdd 1 byte JMP 0000000175023de1 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000076a46bdf 3 bytes {CALL RCX} .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\WS2_32.dll!send 0000000076a46f01 5 bytes JMP 0000000175022011 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076a47089 5 bytes JMP 0000000175026391 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000076a4cc3f 5 bytes JMP 0000000175026271 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076a57673 5 bytes JMP 0000000175025221 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075c70171 5 bytes JMP 0000000175024891 .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075301465 2 bytes [30, 75] .text C:\Users\Maka\Desktop\procexp.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753014bb 2 bytes [30, 75] .text ... * 2 .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077693ae0 6 bytes {JMP QWORD [RIP+0x89bc550]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000776a92a1 5 bytes [B8, F9, 63, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 00000000776a92a7 5 bytes [00, 00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 00000000776c1370 6 bytes [48, B8, B9, D5, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile + 8 00000000776c1378 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000776c1390 6 bytes [48, B8, 39, EE, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 00000000776c1398 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776c1400 6 bytes [48, B8, 79, D0, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000776c1408 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000776c14d0 6 bytes [48, B8, 39, BD, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 00000000776c14d8 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776c1570 6 bytes [48, B8, F9, 32, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776c1578 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776c1590 6 bytes [48, B8, 39, 1C, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776c1598 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776c15b0 6 bytes [48, B8, F9, 1D, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776c15b8 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776c15d0 6 bytes [48, B8, 79, BB, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00000000776c15d8 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776c1640 6 bytes {JMP QWORD [RIP+0x908e9f0]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776c1680 6 bytes [48, B8, B9, EA, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 00000000776c1688 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776c16b0 6 bytes [48, B8, 79, 2F, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 00000000776c16b8 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776c16d0 6 bytes [48, B8, 79, 36, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 00000000776c16d8 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776c1720 6 bytes {JMP QWORD [RIP+0x90ae910]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000776c1760 6 bytes [48, B8, B9, 34, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 00000000776c1768 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776c17b0 6 bytes [48, B8, F9, EF, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 00000000776c17b8 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000776c17e0 6 bytes [48, B8, 39, 2A, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 00000000776c17e8 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776c17f0 6 bytes [48, B8, B9, 26, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 00000000776c17f8 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776c1840 6 bytes {JMP QWORD [RIP+0x8ede7f0]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776c1860 6 bytes [48, B8, 79, EC, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776c1868 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776c1910 6 bytes [48, B8, 79, F3, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000776c1918 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776c1a50 6 bytes {JMP QWORD [RIP+0x913e5e0]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c1b60 6 bytes {JMP QWORD [RIP+0x8e8e4d0]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000776c1c30 6 bytes {JMP QWORD [RIP+0x8f7e400]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776c1ce0 6 bytes [48, B8, F9, E8, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 00000000776c1ce8 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000776c1d30 6 bytes [48, B8, 79, 28, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 00000000776c1d38 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c1d80 6 bytes {JMP QWORD [RIP+0x90ce2b0]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776c1d90 6 bytes [48, B8, F9, 24, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 00000000776c1d98 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776c2100 6 bytes [48, B8, 39, D2, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 00000000776c2108 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000776c2190 6 bytes {JMP QWORD [RIP+0x90edea0]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00000000776c2640 6 bytes [48, B8, 39, 7E, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 00000000776c2648 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776c2840 6 bytes [48, B8, 39, 31, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 00000000776c2848 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776c2a00 6 bytes [48, B8, F9, D3, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 00000000776c2a08 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776c2a80 6 bytes {JMP QWORD [RIP+0x8efd5b0]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776c2b00 6 bytes [48, B8, B9, F1, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 00000000776c2b08 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776c2be0 6 bytes [48, B8, B9, E3, 8B, 75] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 00000000776c2be8 4 bytes [00, 00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00000000777331f1 11 bytes [B8, F9, 7F, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, F9, E1, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes JMP 690073 .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes JMP 0 .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes JMP 701b .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes JMP 65004e .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes JMP 690054 .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff2f13b1 11 bytes [B8, B9, B9, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\WS2_32.dll!closesocket 000007feff2f18e0 12 bytes [48, B8, F9, B7, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff2f1bd1 11 bytes [B8, 39, B6, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff2f2201 11 bytes [B8, 79, DE, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff2f23c0 12 bytes [48, B8, 39, A1, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\WS2_32.dll!connect 000007feff2f45c0 12 bytes [48, B8, 39, 62, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\WS2_32.dll!send + 1 000007feff2f8001 11 bytes [B8, 79, B4, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff2f8df0 7 bytes [48, B8, F9, A2, 8B, 75, 00] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff2f8df9 3 bytes [00, 50, C3] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff2fde91 11 bytes [B8, 79, D7, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff2fdf41 11 bytes [B8, B9, DC, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff31e0f1 11 bytes [B8, F9, DA, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefda00761 11 bytes [B8, B9, F8, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefda03b44 12 bytes [48, B8, 79, 67, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefda1b704 12 bytes [48, B8, B9, 65, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefda1b870 12 bytes [48, B8, 39, 5B, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefda1b8dc 12 bytes [48, B8, 79, 59, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda2a1a0 6 bytes {JMP QWORD [RIP+0x16b5e90]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda4fa50 6 bytes {JMP QWORD [RIP+0x16b05e0]} .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007feff69642d 11 bytes [B8, F9, 55, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff696484 12 bytes [48, B8, B9, 50, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007feff696519 11 bytes [B8, F9, 5C, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff696c34 12 bytes [48, B8, F9, 4E, 8B, 75, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007feff697ab5 11 bytes [B8, B9, 57, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007feff698b01 11 bytes [B8, 79, 52, 8B, 75, 00, 00, ...] .text C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007feff698c39 11 bytes [B8, 39, 54, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000775520f1 11 bytes [B8, B9, CE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000775521e0 12 bytes [48, B8, F9, 39, 8B, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b55c10]} .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007756e750 12 bytes [48, B8, B9, 2D, 8B, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8afe4e0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000077571e31 11 bytes [B8, 39, E0, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 00000000775a5011 11 bytes [B8, 79, 75, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 00000000775a5031 11 bytes [B8, F9, 71, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000775ba560 12 bytes [48, B8, 79, 7C, 8B, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000775ba670 12 bytes [48, B8, F9, 78, 8B, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8aa7820]} .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefd791861 11 bytes [B8, 39, 4D, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefd7930f1 11 bytes [B8, 39, C4, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefd798b80 12 bytes [48, B8, 79, 4B, 8B, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd799940 12 bytes [48, B8, B9, C0, 8B, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefd799fb1 11 bytes [B8, 79, C2, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefd79bbb1 11 bytes [B8, F9, BE, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefd7a29c1 11 bytes [B8, B9, 49, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd7a5290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd7c4320 12 bytes [48, B8, 79, 3D, 8B, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd7d2841 8 bytes [B8, 39, 23, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd7d284a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd7d2881 11 bytes [B8, B9, 3B, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65 000007fefda00761 11 bytes [B8, 79, F3, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefda03b44 12 bytes [48, B8, 79, 67, 8B, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefda1b704 12 bytes [48, B8, B9, 65, 8B, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefda1b870 12 bytes [48, B8, 39, 5B, 8B, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefda1b8dc 12 bytes [48, B8, 79, 59, 8B, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefda2a1a0 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefda4fa50 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007feff69642d 11 bytes [B8, F9, 55, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff696484 12 bytes [48, B8, B9, 50, 8B, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007feff696519 11 bytes [B8, F9, 5C, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff696c34 12 bytes [48, B8, F9, 4E, 8B, 75, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007feff697ab5 11 bytes [B8, B9, 57, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007feff698b01 11 bytes [B8, 79, 52, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007feff698c39 11 bytes [B8, 39, 54, 8B, 75, 00, 00, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff8722cc 6 bytes {JMP QWORD [RIP+0x19dd64]} .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\GDI32.dll!BitBlt 000007feff8724c0 6 bytes JMP 1bdbb0 .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff875be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff878398 6 bytes {JMP QWORD [RIP+0x157c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff8789c8 6 bytes {JMP QWORD [RIP+0x137668]} .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\GDI32.dll!GetPixel 000007feff879344 6 bytes {JMP QWORD [RIP+0x176cec]} .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff87b9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\system32\wbem\wmiprvse.exe[3800] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff885410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 000000007786f8d0 5 bytes JMP 00000001750260c1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007786f908 5 bytes JMP 00000001750266f1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007786f9c0 5 bytes JMP 0000000175025f11 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007786fb08 5 bytes JMP 0000000175025971 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007786fc00 5 bytes JMP 0000000175023061 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007786fc30 5 bytes JMP 00000001750215f1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007786fc60 5 bytes JMP 0000000175021681 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007786fc90 5 bytes JMP 00000001750258e1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007786fd44 3 bytes JMP 70dd000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007786fd48 2 bytes JMP 70dd000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007786fda8 5 bytes JMP 0000000175026661 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007786fdf4 5 bytes JMP 0000000175022f41 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007786fe24 5 bytes JMP 0000000175023181 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007786fea0 3 bytes JMP 70da000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007786fea4 2 bytes JMP 70da000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007786ff04 5 bytes JMP 00000001750230f1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007786ff84 5 bytes JMP 0000000175026781 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007786ffcc 5 bytes JMP 0000000175022d91 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007786ffe4 5 bytes JMP 0000000175022c71 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077870064 3 bytes JMP 7102000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077870068 2 bytes JMP 7102000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077870094 5 bytes JMP 0000000175021e61 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778701a4 5 bytes JMP 0000000175022251 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077870398 3 bytes JMP 70cd000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007787039c 2 bytes JMP 70cd000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077870530 3 bytes JMP 7109000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077870534 2 bytes JMP 7109000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077870674 3 bytes JMP 70f4000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077870678 2 bytes JMP 70f4000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007787077c 5 bytes JMP 00000001750265d1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000778707f4 5 bytes JMP 0000000175022d01 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007787086c 3 bytes JMP 70d7000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077870870 2 bytes JMP 70d7000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077870884 5 bytes JMP 0000000175022be1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077870dd4 5 bytes JMP 0000000175025fa1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077870eb8 3 bytes JMP 70d4000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077870ebc 2 bytes JMP 70d4000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000778715e4 5 bytes JMP 0000000175024651 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077871900 5 bytes JMP 0000000175022fd1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077871bc4 5 bytes JMP 0000000175026031 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077871c94 3 bytes JMP 70ff000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077871c98 2 bytes JMP 70ff000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077871d6c 5 bytes JMP 0000000175026811 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 0000000077871ec8 5 bytes JMP 0000000175026421 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000778888a4 5 bytes JMP 0000000175021a71 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077891217 6 bytes JMP 71a7000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 00000000778b0cfb 5 bytes JMP 0000000175021f81 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 00000000778f857f 5 bytes JMP 00000001750246e1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 00000000778fe81b 5 bytes JMP 0000000175021ef1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000768b0e00 5 bytes JMP 0000000175021d41 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000768b103d 6 bytes JMP 719b000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000768b1072 5 bytes JMP 0000000175022911 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000768b49bf 5 bytes JMP 0000000175022521 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000768c3bdb 5 bytes JMP 0000000175022eb1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000768d7347 5 bytes JMP 0000000175022641 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000768d8954 5 bytes JMP 0000000175025e81 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000768dc9b5 6 bytes JMP 718e000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076932c91 5 bytes JMP 00000001750227f1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000076956f6b 5 bytes JMP 0000000175024261 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000076956f8e 5 bytes JMP 0000000175024381 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000076957339 5 bytes JMP 00000001750244a1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000769573b2 5 bytes JMP 00000001750245c1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c88f7d 5 bytes JMP 00000001750219e1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c8c428 5 bytes JMP 00000001750237b1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c8ec98 5 bytes JMP 00000001750232a1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c8f1f8 5 bytes JMP 00000001750222e1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076c8f776 6 bytes JMP 719e000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c8fa7b 5 bytes JMP 0000000175021dd1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c9134a 5 bytes JMP 0000000175023721 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c91371 5 bytes JMP 0000000175023691 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c91d1b 5 bytes JMP 0000000175021951 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c91e07 5 bytes JMP 0000000175022401 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c92aa4 5 bytes JMP 0000000175025a91 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076c92c91 4 bytes CALL 71ab0000 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c92ccc 5 bytes JMP 0000000175025a01 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c92d0a 5 bytes JMP 0000000175025b21 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c92e6d 5 bytes JMP 00000001750218c1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c93b63 5 bytes JMP 00000001750221c1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c94489 5 bytes JMP 0000000175022371 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c945fb 5 bytes JMP 0000000175023211 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c94624 5 bytes JMP 0000000175022b51 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c9c72c 5 bytes JMP 00000001750226d1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000757a78e2 5 bytes JMP 0000000175024021 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000757a7bd3 5 bytes JMP 0000000175023f91 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000757a8a29 5 bytes JMP 00000001750252b1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000757a8bff 6 bytes JMP 7157000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757a90d3 6 bytes JMP 7112000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000757a9679 6 bytes JMP 7151000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757a97d2 6 bytes JMP 714b000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000757a98fd 5 bytes JMP 0000000175025cd1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000757ab6ed 5 bytes JMP 00000001750268a1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000757ad22e 5 bytes JMP 0000000175025341 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000757aee09 6 bytes JMP 7165000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000757aefc9 3 bytes JMP 7118000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000757aefcd 2 bytes JMP 7118000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000757affe6 5 bytes JMP 0000000175025bb1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000757b00d9 5 bytes JMP 0000000175025c41 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000757b05ba 5 bytes JMP 0000000175024141 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000757b0dfb 5 bytes JMP 00000001750253d1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757b12a5 5 bytes JMP 0000000175026541 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000757b20ec 5 bytes JMP 0000000175025731 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000757b291f 6 bytes JMP 7130000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SetParent 00000000757b2d64 3 bytes JMP 7127000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000757b2d68 2 bytes JMP 7127000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000757b2da4 6 bytes JMP 710f000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000757b3698 3 bytes JMP 7124000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000757b369c 2 bytes JMP 7124000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000757b3baa 5 bytes JMP 00000001750264b1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000757b3c61 6 bytes JMP 715a000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000757b5f74 5 bytes JMP 00000001750240b1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000757b612e 6 bytes JMP 7154000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000757b6285 5 bytes JMP 0000000175024771 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000757b6c30 6 bytes JMP 7115000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757b7603 5 bytes JMP 0000000175022ac1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000757b7668 6 bytes JMP 713f000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757b76e0 6 bytes JMP 7145000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000757b781f 6 bytes JMP 714e000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000757b7aee 5 bytes JMP 00000001750256a1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757b835c 5 bytes JMP 0000000175022a31 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000757bc4b6 3 bytes JMP 7121000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000757bc4ba 2 bytes JMP 7121000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000757cc112 6 bytes JMP 713c000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000757cce54 5 bytes JMP 00000001750254f1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000757cd0f5 6 bytes JMP 7139000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000757ceb96 6 bytes JMP 712d000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000757cec68 3 bytes JMP 7133000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000757cec6c 2 bytes JMP 7133000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000757cf52b 5 bytes JMP 0000000175024801 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000757cf588 5 bytes JMP 0000000175025d61 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SendInput 00000000757cff4a 3 bytes JMP 7136000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000757cff4e 2 bytes JMP 7136000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000757d10a0 5 bytes JMP 0000000175025461 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757e9f1d 6 bytes JMP 711b000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757f1497 6 bytes JMP 710c000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000757ffcd6 5 bytes JMP 0000000175025581 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000757ffcfa 5 bytes JMP 0000000175025611 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!mouse_event 000000007580027b 6 bytes JMP 7170000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!keybd_event 00000000758002bf 6 bytes JMP 7173000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075806cfc 6 bytes JMP 7148000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075806d5d 6 bytes JMP 7142000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075807dd7 3 bytes JMP 711e000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075807ddb 2 bytes JMP 711e000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000758088eb 3 bytes JMP 712a000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000758088ef 2 bytes JMP 712a000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000755158b3 6 bytes JMP 7182000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075515ea6 6 bytes JMP 717f000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075517bcc 6 bytes JMP 718b000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007551b895 6 bytes JMP 7176000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007551c332 6 bytes JMP 717c000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007551cbfb 6 bytes JMP 7185000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007551e743 6 bytes JMP 7188000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075544646 6 bytes JMP 7179000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000076cda472 5 bytes JMP 0000000175026931 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000076ce27ce 5 bytes JMP 0000000175021b91 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000076cee6cf 5 bytes JMP 0000000175021b01 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000773bca4c 5 bytes JMP 00000001750238d1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 00000000773c2bf0 5 bytes JMP 0000000175023841 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000773c369c 5 bytes JMP 0000000175023cc1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 00000000773c49e5 5 bytes JMP 00000001750269c1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000773d712c 5 bytes JMP 0000000175023f01 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000773d7144 5 bytes JMP 0000000175023a81 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000773d715c 5 bytes JMP 0000000175023b11 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000773f2538 6 bytes JMP 7194000a .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000773f30e8 5 bytes JMP 0000000175023ba1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000773f30f8 5 bytes JMP 0000000175023c31 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000773f3108 5 bytes JMP 0000000175023961 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000773f3118 5 bytes JMP 00000001750239f1 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000773f3158 5 bytes JMP 0000000175023e71 .text C:\Users\Maka\Desktop\gmer.exe[1184] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000773f52e9 6 bytes JMP 7191000a ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80730000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!PostMessageA] [80150000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\ole32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageA] [80150000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\MSCTF.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\USERENV.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\COMCTL32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\SHELL32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\OLEACC.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\OLEACC.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\WINMM.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\WINMM.dll[USER32.dll!PostMessageA] [80150000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\WINMM.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\UxTheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\UxTheme.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1900] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80730000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!PostMessageA] [80150000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\USERENV.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\ole32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageA] [80150000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\MSCTF.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\SHELL32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\WINMM.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\WINMM.dll[USER32.dll!PostMessageA] [80150000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\WINMM.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\nvvsvc.exe[1908] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80730000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\ole32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\GetBootTime.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\GetBootTime.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\WINSPOOL.DRV[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!PostMessageA] [80150000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageA] [80150000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\MSCTF.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\SHELL32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\USERENV.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\FBAgent.exe[2024] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [806f0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\CRYPT32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\IPHLPAPI.DLL[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\IPHLPAPI.DLL[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805e0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\ncrypt.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\ncrypt.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\USERENV.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\dhcpcsvc.DLL[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\dhcpcsvc.DLL[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\netcfgx.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\netcfgx.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805e0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\WLANExt.exe[2032] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\taskeng.exe[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80730000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\ole32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageA] [80150000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\MSCTF.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskeng.exe[1800] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\spoolsv.exe[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80730000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\ole32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80620000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageA] [80150000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\MSCTF.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\RpcRtRemote.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\WINSTA.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\IPHLPAPI.DLL[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\IPHLPAPI.DLL[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80620000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\rasadhlp.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\CRYPT32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\localspl.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\localspl.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\srvcli.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\srvcli.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\FirewallAPI.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\USERENV.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\dsrole.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\win32spl.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\win32spl.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\cscapi.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\cscapi.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\netutils.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\netutils.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\CRYPTSP.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\System32\mgmtapi.dll[USER32.dll!PostMessageA] [80150000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\System32\spoolsv.exe[2056] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80680000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80650000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80680000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806b0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80710000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80680000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80680000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80650000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ c:\windows\system32\AUTHZ.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\pcwum.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\pcwum.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ c:\windows\system32\mpssvc.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ c:\windows\system32\FirewallAPI.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\USERENV.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80600000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\IPHLPAPI.DLL[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\IPHLPAPI.DLL[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\dhcpcsvc.DLL[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\dhcpcsvc.DLL[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806b0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[2160] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\taskhost.exe[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80730000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\ole32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageA] [80150000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\MSCTF.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\System32\PlaySndSrv.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\WINMM.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\WINMM.dll[USER32.dll!PostMessageA] [80150000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\WINMM.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\MsCtfMonitor.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\MSUTB.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\uxtheme.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\SHELL32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\MMDevAPI.DLL[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\ksuser.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskhost.exe[2224] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\taskeng.exe[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80730000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\ole32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageA] [80150000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\MSCTF.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\taskeng.exe[2204] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\Dwm.exe[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\Dwm.exe[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80730000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\UxTheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\UxTheme.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\IMM32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\IMM32.dll[USER32.dll!PostMessageA] [80150000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\MSCTF.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\dwmredir.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\dwmcore.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\dwmcore.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\ole32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\dxgi.dll[USER32.dll!SetWindowsHookExA] [80030000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\dxgi.dll[USER32.dll!PostMessageA] [80150000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\Dwm.exe[2128] @ C:\Windows\system32\CRYPT32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE[ntdll.dll!NtSetSystemInformation] [80620000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805a0000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80620000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80680000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805a0000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [806b0000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80620000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805a0000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805a0000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\Secur32.dll[ntdll.dll!NtOpenSection] [80680000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805d0000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [805a0000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805d0000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [805a0000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [80680000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\System32\gameux.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\authui.dll[ntdll.dll!NtSetSystemInformation] [80620000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [805a0000] IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\system32\AVRT.dll[ntdll.dll!NtTerminateProcess] [805a0000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80730000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\ole32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Program Files\P4G\OvrClk.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageA] [80150000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\MSCTF.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Program Files\P4G\BatteryLife.exe[3188] @ C:\Windows\system32\CRYPT32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [806f0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\TQUERY.DLL[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\VSSAPI.DLL[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\VSSAPI.DLL[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\WINSTA.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\samcli.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\netutils.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\netutils.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\USERENV.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[3900] @ C:\Windows\system32\CRYPT32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [806f0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\WINMM.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4012] @ C:\Windows\system32\CRYPT32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80680000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80650000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80680000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806b0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80710000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80680000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80680000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80650000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80600000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[1792] @ c:\windows\system32\FirewallAPI.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\IPHLPAPI.DLL[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\IPHLPAPI.DLL[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\dhcpcsvc.DLL[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\dhcpcsvc.DLL[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80600000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtCreateFile] [806e0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\System32\wship6.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [805d0000] IAT C:\Windows\system32\svchost.exe[1792] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [80730000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!PostMessageA] [80150000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [80620000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\credui.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\credui.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\ole32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\CRYPT32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\SHELL32.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\IMM32.DLL[USER32.dll!PostMessageA] [80150000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\MSCTF.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\uxtheme.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\aclui.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\aclui.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\iphlpapi.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\iphlpapi.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\winsta.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\winsta.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64cpu.DLL[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64.dll[ntdll.dll!NtCreateThreadEx] [80730000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64.dll[ntdll.dll!NtCreateThread] [801d0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64.dll[ntdll.dll!NtSystemDebugControl] [80580000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64.dll[ntdll.dll!NtLoadDriver] [80620000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64win.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64win.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\wow64win.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [80620000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!NtTerminateProcess] [805f0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\ntshrui.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\srvcli.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\srvcli.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\cscapi.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\cscapi.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\System32\shdocvw.dll[USER32.dll!PostMessageW] [801a0000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtCreateFile] [80700000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [80000000] IAT C:\Users\Maka\AppData\Local\Temp\procexp64.exe[4040] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateThreadEx] [806f0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\ole32.dll[ntdll.dll!ZwClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805e0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\NSI.dll[ntdll.dll!NtTerminateProcess] [805b0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtCreateFile] [806c0000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[3800] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [80000000] ---- Modules - GMER 2.1 ---- Module \??\C:\Windows\system32\Drivers\PROCEXP152.SYS fffff8800bd76000-fffff8800bd83000 (53248 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{124DBBAB-FD64-43C7-B72B-6371FE7CF6E1}\Connection@Name isatap.{69DB0F4C-E991-4AE8-8AFB-95CE6990EDF3} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{6BDF746E-3B5C-4D75-8D2B-62549E856F04}?\Device\{71DAE9F4-53F7-41BD-B117-FF7FC0009D57}?\Device\{124DBBAB-FD64-43C7-B72B-6371FE7CF6E1}?\Device\{52EE80B1-4F97-40A4-B602-351EB9D027F2}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{6BDF746E-3B5C-4D75-8D2B-62549E856F04}"?"{71DAE9F4-53F7-41BD-B117-FF7FC0009D57}"?"{124DBBAB-FD64-43C7-B72B-6371FE7CF6E1}"?"{52EE80B1-4F97-40A4-B602-351EB9D027F2}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{6BDF746E-3B5C-4D75-8D2B-62549E856F04}?\Device\TCPIP6TUNNEL_{71DAE9F4-53F7-41BD-B117-FF7FC0009D57}?\Device\TCPIP6TUNNEL_{124DBBAB-FD64-43C7-B72B-6371FE7CF6E1}?\Device\TCPIP6TUNNEL_{52EE80B1-4F97-40A4-B602-351EB9D027F2}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243d48f14 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{124DBBAB-FD64-43C7-B72B-6371FE7CF6E1}@InterfaceName isatap.{69DB0F4C-E991-4AE8-8AFB-95CE6990EDF3} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{124DBBAB-FD64-43C7-B72B-6371FE7CF6E1}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243d48f14 (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\Maka\Safe Doc 0 bytes File C:\Users\Maka\Safe Video 0 bytes File C:\Users\Maka\Safe Music 0 bytes ---- EOF - GMER 2.1 ----