GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-04 18:19:28 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000AAKS-00D2B0 rev.12.01C02 465,76GB Running: 0ecwt16d.exe; Driver: C:\Users\As\AppData\Local\Temp\uglcqaoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771cff60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771d0160 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\services.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\services.exe[600] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\system32\services.exe[600] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd505720 6 bytes JMP 0 .text C:\Windows\system32\services.exe[600] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000077092294 6 bytes {JMP QWORD [RIP+0x904dd9c]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000770971e9 5 bytes {JMP QWORD [RIP+0x9068e48]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000770a9320 6 bytes {JMP QWORD [RIP+0x9016d10]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes JMP 9c6 .text C:\Windows\system32\services.exe[600] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\services.exe[600] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x7da98]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff3aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff3cfa50 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x3dcc0]} .text C:\Windows\system32\lsass.exe[608] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x5da98]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes CALL 0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes JMP 13b4 .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes JMP 790053 .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x4dcc0]} .text C:\Windows\system32\lsm.exe[616] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x6da98]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd505720 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0x37de04]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0x337dd8]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x317cb8]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0x3569cc]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\nvvsvc.exe[816] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes CALL 0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes JMP 1eb678 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd505720 6 bytes {JMP QWORD [RIP+0x15a910]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff3aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff3cfa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff3aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff3cfa50 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes CALL 0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\System32\svchost.exe[256] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\System32\svchost.exe[256] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes JMP 134d880 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes JMP 8f6e629 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes JMP 63bc80 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes JMP 935f059 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes JMP 48d1cc9 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes JMP 24132413 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes JMP 6c2cd842 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes JMP 49e481 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes JMP 90ba538 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes JMP 630072 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes JMP 11681 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes JMP 730073 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes JMP 7a007a .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes JMP 730073 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes JMP 800080 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes JMP 8000a .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes JMP 9360691 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes JMP 87c1c62 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes JMP 9868480 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes JMP 8f6c7c9 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes JMP 440044 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes JMP 65b801 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes JMP 0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff3aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff3cfa50 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\System32\svchost.exe[368] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd505720 6 bytes {JMP QWORD [RIP+0x15a910]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff3aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff3cfa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[584] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0x37de04]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0x337dd8]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0x3569cc]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\System32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\System32\spoolsv.exe[1520] C:\Windows\System32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes CALL 0 .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes JMP 1d0032 .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd505720 6 bytes {JMP QWORD [RIP+0x15a910]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff3aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff3cfa50 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007737f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007737f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007737fc50 3 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007737fc54 2 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007737fd04 3 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007737fd08 2 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007737fd68 3 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007737fd6c 2 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007737fe60 3 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007737fe64 2 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007737ff44 3 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007737ff48 2 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007737ffa4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007737ffa8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077380024 3 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077380028 2 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077380054 3 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077380058 2 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077380358 3 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007738035c 2 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773804f0 3 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000773804f4 2 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077380634 3 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077380638 2 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007738082c 3 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077380830 2 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077380844 3 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077380848 2 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077380d94 3 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077380d98 2 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077380e78 3 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077380e7c 2 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077381b84 3 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077381b88 2 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077381c54 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077381c58 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077381d2c 3 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077381d30 2 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000773a1067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769d102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769d1062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769f126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f3eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000074f41d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007614f0e6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076158364 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761606b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074fb5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074fb95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074fbb8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074fbe45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000751514fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000751542a1 6 bytes JMP 7193000a .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff3aa1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff3cfa50 6 bytes {JMP QWORD [RIP+0xb05e0]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0x37de04]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0x337dd8]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x317cb8]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0x3569cc]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1796] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007737f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007737f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007737fc50 3 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007737fc54 2 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007737fd04 3 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007737fd08 2 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007737fd68 3 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007737fd6c 2 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007737fe60 3 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007737fe64 2 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007737ff44 3 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007737ff48 2 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007737ffa4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007737ffa8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077380024 3 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077380028 2 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077380054 3 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077380058 2 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077380358 3 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007738035c 2 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773804f0 3 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000773804f4 2 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077380634 3 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077380638 2 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007738082c 3 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077380830 2 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077380844 3 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077380848 2 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077380d94 3 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077380d98 2 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077380e78 3 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077380e7c 2 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077381b84 3 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077381b88 2 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077381c54 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077381c58 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077381d2c 3 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077381d30 2 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000773a1067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769d102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769d1062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769f126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f3eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000074f41d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007614f0e6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076158364 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761606b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074fb5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074fb95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074fbb8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074fbe45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000751514fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000751542a1 6 bytes JMP 7193000a .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\svchost.exe[2240] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\system32\svchost.exe[2240] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[2240] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes JMP ffff0000 .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[2428] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes JMP 2b9698cb .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x317cb8]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x921d060]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000771cff70 6 bytes {JMP QWORD [RIP+0x8f500c0]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x91d0090]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771d00d0 6 bytes {JMP QWORD [RIP+0x8f2ff60]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000771d00e0 6 bytes {JMP QWORD [RIP+0x918ff50]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x97dfec0]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x916fe50]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x910fe10]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000771d0240 6 bytes {JMP QWORD [RIP+0x91afdf0]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771d02b0 6 bytes {JMP QWORD [RIP+0x8fcfd80]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x988fd70]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771d0330 6 bytes {JMP QWORD [RIP+0x8fafd00]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x90efce0]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x975fca0]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x977fc50]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x914fc30]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x8eefa40]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771d0600 6 bytes {JMP QWORD [RIP+0x8ecfa30]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f0f930]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x90af860]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771d0810 6 bytes {JMP QWORD [RIP+0x8fef820]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771d0880 6 bytes {JMP QWORD [RIP+0x8f6f7b0]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000771d0890 6 bytes {JMP QWORD [RIP+0x912f7a0]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771d08b0 6 bytes {JMP QWORD [RIP+0x906f780]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771d0910 6 bytes {JMP QWORD [RIP+0x902f720]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x98af710]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x98ef700]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000771d0990 6 bytes {JMP QWORD [RIP+0x90cf6a0]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x980f390]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x98cf300]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771d0dd0 6 bytes {JMP QWORD [RIP+0x900f260]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771d0e40 6 bytes {JMP QWORD [RIP+0x8f8f1f0]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771d0e90 6 bytes {JMP QWORD [RIP+0x904f1a0]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000771d13a0 6 bytes {JMP QWORD [RIP+0x908ec90]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x982ea90]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x979ea10]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x97be990]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 0000000076f67900 6 bytes {JMP QWORD [RIP+0x90b8730]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9854c60]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000076f75650 6 bytes {JMP QWORD [RIP+0x910a9e0]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x9801880]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 0000000076fe1740 6 bytes {JMP QWORD [RIP+0x905e8f0]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x97a7900]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd44a330 5 bytes [FF, 25, 00, 5D, 1F] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 20] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefdf6687c 6 bytes {JMP QWORD [RIP+0x1c97b4]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefdf68e30 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefdf6995c 6 bytes {JMP QWORD [RIP+0x2266d4]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefdf699e4 6 bytes {JMP QWORD [RIP+0x12664c]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefdf69ac8 6 bytes {JMP QWORD [RIP+0x106568]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefdf6a51c 6 bytes {JMP QWORD [RIP+0x1a5b14]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefdf6a530 6 bytes {JMP QWORD [RIP+0x185b00]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefdf6a5b0 5 bytes [FF, 25, 80, 5A, 14] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefdf6a5c4 6 bytes {JMP QWORD [RIP+0x165a6c]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefdf6bb28 6 bytes {JMP QWORD [RIP+0x1e4508]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefdf6bb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefdf6bb40 2 bytes [20, 00] .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd505720 6 bytes {JMP QWORD [RIP+0x17a910]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[3976] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x921d060]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000771cff70 6 bytes {JMP QWORD [RIP+0x8f500c0]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x91d0090]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771d00d0 6 bytes {JMP QWORD [RIP+0x8f2ff60]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000771d00e0 6 bytes {JMP QWORD [RIP+0x918ff50]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x97dfec0]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x916fe50]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x910fe10]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000771d0240 6 bytes {JMP QWORD [RIP+0x91afdf0]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771d02b0 6 bytes {JMP QWORD [RIP+0x8fcfd80]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x988fd70]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771d0330 6 bytes {JMP QWORD [RIP+0x8fafd00]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x90efce0]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x975fca0]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x977fc50]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x914fc30]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x8eefa40]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771d0600 6 bytes {JMP QWORD [RIP+0x8ecfa30]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f0f930]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x90af860]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771d0810 6 bytes {JMP QWORD [RIP+0x8fef820]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771d0880 6 bytes {JMP QWORD [RIP+0x8f6f7b0]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000771d0890 6 bytes {JMP QWORD [RIP+0x912f7a0]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771d08b0 6 bytes {JMP QWORD [RIP+0x906f780]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771d0910 6 bytes {JMP QWORD [RIP+0x902f720]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x98af710]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x98ef700]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000771d0990 6 bytes {JMP QWORD [RIP+0x90cf6a0]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x980f390]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x98cf300]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771d0dd0 6 bytes {JMP QWORD [RIP+0x900f260]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771d0e40 6 bytes {JMP QWORD [RIP+0x8f8f1f0]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771d0e90 6 bytes {JMP QWORD [RIP+0x904f1a0]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000771d13a0 6 bytes {JMP QWORD [RIP+0x908ec90]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x982ea90]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x979ea10]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x97be990]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 0000000076f67900 6 bytes {JMP QWORD [RIP+0x90b8730]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9854c60]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000076f75650 6 bytes {JMP QWORD [RIP+0x910a9e0]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x9801880]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 0000000076fe1740 6 bytes {JMP QWORD [RIP+0x905e8f0]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x97a7900]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd44a330 5 bytes [FF, 25, 00, 5D, 1F] .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefdf6687c 6 bytes {JMP QWORD [RIP+0x1c97b4]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefdf68e30 6 bytes {JMP QWORD [RIP+0x247200]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefdf6995c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefdf699e4 6 bytes {JMP QWORD [RIP+0x12664c]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefdf69ac8 6 bytes {JMP QWORD [RIP+0x106568]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefdf6a51c 6 bytes {JMP QWORD [RIP+0x1a5b14]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefdf6a530 6 bytes {JMP QWORD [RIP+0x185b00]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefdf6a5b0 5 bytes [FF, 25, 80, 5A, 14] .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefdf6a5c4 6 bytes {JMP QWORD [RIP+0x165a6c]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefdf6bb28 6 bytes {JMP QWORD [RIP+0x1e4508]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefdf6bb3c 3 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4052] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefdf6bb40 2 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefd505720 6 bytes {JMP QWORD [RIP+0x17a910]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff3aa1a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff3cfa50 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\svchost.exe[4052] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007737f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007737f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007737fc50 3 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007737fc54 2 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007737fd04 3 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007737fd08 2 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007737fd68 3 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007737fd6c 2 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007737fe60 3 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007737fe64 2 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007737ff44 3 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007737ff48 2 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007737ffa4 3 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007737ffa8 2 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077380024 3 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077380028 2 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077380054 3 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077380058 2 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077380358 3 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007738035c 2 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773804f0 3 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000773804f4 2 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077380634 3 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077380638 2 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007738082c 3 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077380830 2 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077380844 3 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077380848 2 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077380d94 3 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077380d98 2 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077380e78 3 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077380e7c 2 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077381b84 3 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077381b88 2 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077381c54 3 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077381c58 2 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077381d2c 3 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077381d30 2 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000773a1067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769d102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769d1062 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769f126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f3eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000074f41d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000751b1401 2 bytes JMP 769eeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000751b1419 2 bytes JMP 769fb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000751b1431 2 bytes JMP 76a78609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000751b144a 2 bytes CALL 769d1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751b14dd 2 bytes JMP 76a77efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751b14f5 2 bytes JMP 76a780d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000751b150d 2 bytes JMP 76a77df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000751b1525 2 bytes JMP 76a781c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000751b153d 2 bytes JMP 769ef088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000751b1555 2 bytes JMP 769fb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000751b156d 2 bytes JMP 76a786c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000751b1585 2 bytes JMP 76a78222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000751b159d 2 bytes JMP 76a77db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751b15b5 2 bytes JMP 769ef121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751b15cd 2 bytes JMP 769fb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751b16b2 2 bytes JMP 76a78584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751b16bd 2 bytes JMP 76a77d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074fb5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074fb95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074fbb8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074fbe45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007614f0e6 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076158364 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761606b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000751514fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4580] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000751542a1 6 bytes JMP 7193000a .text C:\Windows\system32\csrss.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771cff60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771d0160 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 8 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes CALL 4e20000 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0x37de04]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0x337dd8]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x317cb8]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0x3569cc]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\system32\MSIMG32.dll!AlphaBlend 000007fefc1c1180 6 bytes {JMP QWORD [RIP+0x5eeb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3636] C:\Windows\system32\MSIMG32.dll!TransparentBlt 000007fefc1c1350 6 bytes {JMP QWORD [RIP+0x2ece0]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0x37de04]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0x337dd8]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0x3569cc]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\system32\MSIMG32.dll!AlphaBlend 000007fefc1c1180 6 bytes JMP e623 .text C:\Windows\system32\nvvsvc.exe[4780] C:\Windows\system32\MSIMG32.dll!TransparentBlt 000007fefc1c1350 6 bytes {JMP QWORD [RIP+0x2ece0]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes JMP 299fa10 .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\taskhost.exe[4072] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes CALL 0 .text C:\Windows\system32\Dwm.exe[876] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\system32\Dwm.exe[876] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0xede04]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0xa7dd8]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x87cb8]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0xc69cc]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\system32\Dwm.exe[876] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000076f80420 5 bytes JMP 0000000176f50010 .text C:\Windows\Explorer.EXE[3996] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes CALL 0 .text C:\Windows\Explorer.EXE[3996] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\Explorer.EXE[3996] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes JMP 7fe .text C:\Windows\Explorer.EXE[3996] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3996] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes JMP 65006d .text C:\Windows\Explorer.EXE[3996] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes JMP 6d006100 .text C:\Windows\Explorer.EXE[3996] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\Explorer.EXE[3996] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x7da98]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0x74de04]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0x707dd8]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x6e7cb8]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0x7269cc]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\system32\MSIMG32.dll!AlphaBlend 000007fefc1c1180 6 bytes {JMP QWORD [RIP+0x5eeb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\system32\MSIMG32.dll!TransparentBlt 000007fefc1c1350 6 bytes {JMP QWORD [RIP+0x2ece0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[728] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007737f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007737f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007737fc50 3 bytes JMP 7169000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007737fc54 2 bytes JMP 7169000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007737fd04 3 bytes JMP 7154000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007737fd08 2 bytes JMP 7154000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007737fd68 3 bytes JMP 715a000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007737fd6c 2 bytes JMP 715a000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007737fe60 3 bytes JMP 7151000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007737fe64 2 bytes JMP 7151000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007737ff44 3 bytes JMP 715d000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007737ff48 2 bytes JMP 715d000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007737ffa4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007737ffa8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077380024 3 bytes JMP 7172000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077380028 2 bytes JMP 7172000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077380054 3 bytes JMP 7157000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077380058 2 bytes JMP 7157000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077380358 3 bytes JMP 7145000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007738035c 2 bytes JMP 7145000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773804f0 3 bytes JMP 7178000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000773804f4 2 bytes JMP 7178000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077380634 3 bytes JMP 7166000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077380638 2 bytes JMP 7166000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007738082c 3 bytes JMP 714e000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077380830 2 bytes JMP 714e000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077380844 3 bytes JMP 7148000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077380848 2 bytes JMP 7148000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077380d94 3 bytes JMP 7163000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077380d98 2 bytes JMP 7163000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077380e78 3 bytes JMP 714b000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077380e7c 2 bytes JMP 714b000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077381b84 3 bytes JMP 7160000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077381b88 2 bytes JMP 7160000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077381c54 3 bytes JMP 716f000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077381c58 2 bytes JMP 716f000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077381d2c 3 bytes JMP 716c000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077381d30 2 bytes JMP 716c000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000773a1067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769d102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769d1062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769f126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f3eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000074f41d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007614f0e6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076158364 6 bytes JMP 7181000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761606b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074fb5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074fb95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074fbb8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074fbe45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000751514fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000751542a1 6 bytes JMP 7193000a .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000744911a8 2 bytes [49, 74] .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000007449127d 2 bytes CALL 769d14dd C:\Windows\syswow64\kernel32.dll .text ... * 6 .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000744913a8 2 bytes [49, 74] .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000074491422 2 bytes [49, 74] .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000074491498 2 bytes [49, 74] .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextCreate + 4 0000000074611825 2 bytes JMP 74ff5e8d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextDestroy + 4 0000000074611830 2 bytes JMP 74ff5ead C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextDestroyAll + 4 000000007461183b 2 bytes JMP 74ff5ecd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dDrawPrimitives2 + 4 0000000074611846 2 bytes JMP 74ff576d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dValidateTextureStageState + 4 0000000074611851 2 bytes JMP 74ff5eed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAddAttachedSurface + 4 000000007461185c 2 bytes JMP 74ff5fcd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAlphaBlt + 4 0000000074611867 2 bytes JMP 74ff5fed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAttachSurface + 4 0000000074611872 2 bytes JMP 74ff600d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdBeginMoCompFrame + 4 000000007461187d 2 bytes JMP 74ff602d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdBlt + 4 0000000074611888 2 bytes JMP 74ff578d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCanCreateD3DBuffer + 4 0000000074611893 2 bytes JMP 74ff604d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCanCreateSurface + 4 000000007461189e 2 bytes JMP 74ff580d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdColorControl + 4 00000000746118a9 2 bytes JMP 74ff606d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateD3DBuffer + 4 00000000746118b4 2 bytes JMP 74ff608d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateDirectDrawObject + 4 00000000746118bf 2 bytes JMP 74fc1a12 C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateMoComp + 4 00000000746118ca 2 bytes JMP 74ff60cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurface + 4 00000000746118d5 2 bytes JMP 74ff582d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurfaceEx + 4 00000000746118e0 2 bytes JMP 74ff58ad C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurfaceObject + 4 00000000746118eb 2 bytes JMP 74ff58cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDeleteDirectDrawObject + 4 00000000746118f6 2 bytes JMP 74ff662d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDeleteSurfaceObject + 4 0000000074611901 2 bytes JMP 74ff57ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroyD3DBuffer + 4 000000007461190c 2 bytes JMP 74ff664d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroyMoComp + 4 0000000074611917 2 bytes JMP 74ff668d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroySurface + 4 0000000074611922 2 bytes JMP 74ff584d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdEndMoCompFrame + 4 000000007461192d 2 bytes JMP 74ff66ad C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdFlip + 4 0000000074611938 2 bytes JMP 74ff66cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdFlipToGDISurface + 4 0000000074611943 2 bytes JMP 74ff66ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetAvailDriverMemory + 4 000000007461194e 2 bytes JMP 74ff670d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetBltStatus + 4 0000000074611959 2 bytes JMP 74ff672d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDC + 4 0000000074611964 2 bytes JMP 74ff674d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDriverInfo + 4 000000007461196f 2 bytes JMP 74ff676d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDriverState + 4 000000007461197a 2 bytes JMP 74ff678d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDxHandle + 4 0000000074611985 2 bytes JMP 74ff67ad C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetFlipStatus + 4 0000000074611990 2 bytes JMP 74ff67cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetInternalMoCompInfo + 4 000000007461199b 2 bytes JMP 74ff67ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompBuffInfo + 4 00000000746119a6 2 bytes JMP 74ff680d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompFormats + 4 00000000746119b1 2 bytes JMP 74ff682d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompGuids + 4 00000000746119bc 2 bytes JMP 74ff684d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetScanLine + 4 00000000746119c7 2 bytes JMP 74ff686d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdLock + 4 00000000746119d2 2 bytes JMP 74ff688d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdLockD3D + 4 00000000746119dd 2 bytes JMP 74ff58ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdQueryDirectDrawObject + 4 00000000746119e8 2 bytes JMP 74ff68cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdQueryMoCompStatus + 4 00000000746119f3 2 bytes JMP 74ff68ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdReenableDirectDrawObject + 4 00000000746119fe 2 bytes JMP 74ff692b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdReleaseDC + 4 0000000074611a09 2 bytes JMP 74ff694b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdRenderMoComp + 4 0000000074611a14 2 bytes JMP 74ff696b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdResetVisrgn + 4 0000000074611a1f 2 bytes JMP 74ff586d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetColorKey + 4 0000000074611a2a 2 bytes JMP 74ff698b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetExclusiveMode + 4 0000000074611a35 2 bytes JMP 74ff69ab C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetGammaRamp + 4 0000000074611a40 2 bytes JMP 74ff69cb C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetOverlayPosition + 4 0000000074611a4b 2 bytes JMP 74ff69eb C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnattachSurface + 4 0000000074611a56 2 bytes JMP 74ff6a0b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnlock + 4 0000000074611a61 2 bytes JMP 74ff6a2b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnlockD3D + 4 0000000074611a6c 2 bytes JMP 74ff590d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUpdateOverlay + 4 0000000074611a77 2 bytes JMP 74ff6a4b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 4 0000000074611a82 2 bytes JMP 74ff6a6b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe[3364] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 52 0000000074611ab2 2 bytes JMP 76e4dc75 C:\Windows\syswow64\msvcrt.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007737f980 3 bytes JMP 71af000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007737f984 2 bytes JMP 71af000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007737fc50 3 bytes JMP 7169000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007737fc54 2 bytes JMP 7169000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007737fd04 3 bytes JMP 7154000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007737fd08 2 bytes JMP 7154000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007737fd68 3 bytes JMP 715a000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007737fd6c 2 bytes JMP 715a000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007737fe60 3 bytes JMP 7151000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007737fe64 2 bytes JMP 7151000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007737ff44 3 bytes JMP 715d000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007737ff48 2 bytes JMP 715d000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007737ffa4 3 bytes JMP 7175000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007737ffa8 2 bytes JMP 7175000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077380024 3 bytes JMP 7172000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077380028 2 bytes JMP 7172000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077380054 3 bytes JMP 7157000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077380058 2 bytes JMP 7157000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077380358 3 bytes JMP 7145000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007738035c 2 bytes JMP 7145000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773804f0 3 bytes JMP 7178000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000773804f4 2 bytes JMP 7178000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077380634 3 bytes JMP 7166000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077380638 2 bytes JMP 7166000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007738082c 3 bytes JMP 714e000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077380830 2 bytes JMP 714e000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077380844 3 bytes JMP 7148000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077380848 2 bytes JMP 7148000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077380d94 3 bytes JMP 7163000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077380d98 2 bytes JMP 7163000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077380e78 3 bytes JMP 714b000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077380e7c 2 bytes JMP 714b000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077381b84 3 bytes JMP 7160000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077381b88 2 bytes JMP 7160000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077381c54 3 bytes JMP 716f000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077381c58 2 bytes JMP 716f000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077381d2c 3 bytes JMP 716c000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077381d30 2 bytes JMP 716c000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000773a1067 6 bytes JMP 71a8000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769d102d 6 bytes JMP 719c000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769d1062 6 bytes JMP 7199000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769f126f 6 bytes JMP 7190000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f3eae7 6 bytes JMP 719f000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000074f41d26 4 bytes CALL 71ac0000 .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007614f0e6 6 bytes JMP 717b000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076158364 6 bytes JMP 7181000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761606b3 6 bytes JMP 717e000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074fb5876 6 bytes JMP 7184000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074fb95f4 6 bytes JMP 718d000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074fbb8d0 6 bytes JMP 7187000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074fbe45d 6 bytes JMP 718a000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000751514fd 6 bytes JMP 7196000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000751542a1 6 bytes JMP 7193000a .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000751b1401 2 bytes JMP 769eeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000751b1419 2 bytes JMP 769fb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000751b1431 2 bytes JMP 76a78609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000751b144a 2 bytes CALL 769d1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751b14dd 2 bytes JMP 76a77efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751b14f5 2 bytes JMP 76a780d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000751b150d 2 bytes JMP 76a77df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000751b1525 2 bytes JMP 76a781c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000751b153d 2 bytes JMP 769ef088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000751b1555 2 bytes JMP 769fb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000751b156d 2 bytes JMP 76a786c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000751b1585 2 bytes JMP 76a78222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000751b159d 2 bytes JMP 76a77db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751b15b5 2 bytes JMP 769ef121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751b15cd 2 bytes JMP 769fb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751b16b2 2 bytes JMP 76a78584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751b16bd 2 bytes JMP 76a77d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007737f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007737f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007737fc50 3 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007737fc54 2 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007737fd04 3 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007737fd08 2 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007737fd68 3 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007737fd6c 2 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007737fe60 3 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007737fe64 2 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007737ff44 3 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007737ff48 2 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007737ffa4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007737ffa8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077380024 3 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077380028 2 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077380054 3 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077380058 2 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077380358 3 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007738035c 2 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773804f0 3 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000773804f4 2 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077380634 3 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077380638 2 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007738082c 3 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077380830 2 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077380844 3 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077380848 2 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077380d94 3 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077380d98 2 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077380e78 3 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077380e7c 2 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077381b84 3 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077381b88 2 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077381c54 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077381c58 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077381d2c 3 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077381d30 2 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000773a1067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769d102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769d1062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769f126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f3eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000074f41d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000751514fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000751542a1 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007614f0e6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076158364 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761606b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074fb5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074fb95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074fbb8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074fbe45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000751b1401 2 bytes JMP 769eeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000751b1419 2 bytes JMP 769fb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000751b1431 2 bytes JMP 76a78609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000751b144a 2 bytes CALL 769d1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751b14dd 2 bytes JMP 76a77efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751b14f5 2 bytes JMP 76a780d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000751b150d 2 bytes JMP 76a77df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000751b1525 2 bytes JMP 76a781c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000751b153d 2 bytes JMP 769ef088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000751b1555 2 bytes JMP 769fb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000751b156d 2 bytes JMP 76a786c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000751b1585 2 bytes JMP 76a78222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000751b159d 2 bytes JMP 76a77db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751b15b5 2 bytes JMP 769ef121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751b15cd 2 bytes JMP 769fb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751b16b2 2 bytes JMP 76a78584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751b16bd 2 bytes JMP 76a77d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes JMP 95b3cf0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes JMP 9946d40 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes JMP 450043 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0x74de04]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0x707dd8]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x6e7cb8]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0x7269cc]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\system32\MSIMG32.dll!AlphaBlend 000007fefc1c1180 6 bytes {JMP QWORD [RIP+0x5eeb0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\system32\MSIMG32.dll!TransparentBlt 000007fefc1c1350 6 bytes {JMP QWORD [RIP+0x2ece0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2548] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007737f980 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007737f984 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007737fc50 3 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007737fc54 2 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007737fd04 3 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007737fd08 2 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007737fd68 3 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007737fd6c 2 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007737fe60 3 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007737fe64 2 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007737ff44 3 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007737ff48 2 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007737ffa4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007737ffa8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077380024 3 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077380028 2 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077380054 3 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077380058 2 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077380358 3 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007738035c 2 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773804f0 3 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000773804f4 2 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077380634 3 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077380638 2 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007738082c 3 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077380830 2 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077380844 3 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077380848 2 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077380d94 3 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077380d98 2 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077380e78 3 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077380e7c 2 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077381b84 3 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077381b88 2 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077381c54 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077381c58 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077381d2c 3 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077381d30 2 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000773a1067 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769d102d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769d1062 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769f126f 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f3eae7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000074f41d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007614f0e6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076158364 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761606b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074fb5876 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074fb95f4 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074fbb8d0 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074fbe45d 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000751514fd 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000751542a1 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000751b1401 2 bytes JMP 769eeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000751b1419 2 bytes JMP 769fb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000751b1431 2 bytes JMP 76a78609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000751b144a 2 bytes CALL 769d1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751b14dd 2 bytes JMP 76a77efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751b14f5 2 bytes JMP 76a780d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000751b150d 2 bytes JMP 76a77df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000751b1525 2 bytes JMP 76a781c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000751b153d 2 bytes JMP 769ef088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000751b1555 2 bytes JMP 769fb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000751b156d 2 bytes JMP 76a786c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000751b1585 2 bytes JMP 76a78222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000751b159d 2 bytes JMP 76a77db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751b15b5 2 bytes JMP 769ef121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751b15cd 2 bytes JMP 769fb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751b16b2 2 bytes JMP 76a78584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[4860] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751b16bd 2 bytes JMP 76a77d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\notepad.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\notepad.exe[3764] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\notepad.exe[3764] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\notepad.exe[3764] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\notepad.exe[3764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\notepad.exe[3764] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes [FF, 25, 10, B7, 1E] .text C:\Windows\notepad.exe[3764] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes JMP 0 .text C:\Windows\notepad.exe[3764] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes JMP c1000b90 .text C:\Windows\notepad.exe[3764] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x6e7cb8]} .text C:\Windows\notepad.exe[3764] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0x7269cc]} .text C:\Windows\notepad.exe[3764] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes {JMP QWORD [RIP+0x2dcc0]} .text C:\Windows\notepad.exe[3764] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771a2fd0 6 bytes {JMP QWORD [RIP+0x8e9d060]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771cffa0 6 bytes {JMP QWORD [RIP+0x8e50090]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771d0170 6 bytes {JMP QWORD [RIP+0x8fefec0]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771d01e0 6 bytes {JMP QWORD [RIP+0x90cfe50]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771d0220 6 bytes {JMP QWORD [RIP+0x908fe10]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771d02c0 6 bytes {JMP QWORD [RIP+0x90efd70]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771d0350 6 bytes {JMP QWORD [RIP+0x906fce0]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771d0390 6 bytes {JMP QWORD [RIP+0x8f6fca0]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771d03e0 6 bytes {JMP QWORD [RIP+0x8f8fc50]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771d0400 6 bytes {JMP QWORD [RIP+0x90afc30]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771d05f0 6 bytes {JMP QWORD [RIP+0x916fa40]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771d0700 6 bytes {JMP QWORD [RIP+0x8f4f930]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771d07d0 6 bytes {JMP QWORD [RIP+0x900f860]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771d0920 6 bytes {JMP QWORD [RIP+0x910f710]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771d0930 6 bytes {JMP QWORD [RIP+0x914f700]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771d0ca0 6 bytes {JMP QWORD [RIP+0x902f390]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771d0d30 6 bytes {JMP QWORD [RIP+0x912f300]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771d15a0 6 bytes {JMP QWORD [RIP+0x904ea90]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771d1620 6 bytes {JMP QWORD [RIP+0x8faea10]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771d16a0 6 bytes {JMP QWORD [RIP+0x8fce990]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 0000000076f6b3d0 6 bytes {JMP QWORD [RIP+0x9134c60]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000076f7e7b0 6 bytes {JMP QWORD [RIP+0x90e1880]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\System32\kernel32.dll!CreateProcessA 0000000076ff8730 6 bytes {JMP QWORD [RIP+0x9087900]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd44a4c8 3 bytes [42, 5B, 1A] .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd454920 5 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefd98222c 6 bytes {JMP QWORD [RIP+0x37de04]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefd988258 6 bytes {JMP QWORD [RIP+0x337dd8]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefd988378 6 bytes {JMP QWORD [RIP+0x317cb8]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\System32\GDI32.dll!GetPixel 000007fefd989664 6 bytes {JMP QWORD [RIP+0x3569cc]} .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\system32\fltlib.dll!FilterConnectCommunicationPort 000007fefcf32370 6 bytes JMP 19ab .text C:\Windows\system32\AUDIODG.EXE[4944] C:\Windows\system32\fltlib.dll!FilterSendMessage 000007fefcf32598 6 bytes {JMP QWORD [RIP+0x4da98]} .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007737f980 3 bytes JMP 71af000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007737f984 2 bytes JMP 71af000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007737fc50 3 bytes JMP 7169000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007737fc54 2 bytes JMP 7169000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007737fd04 3 bytes JMP 7154000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007737fd08 2 bytes JMP 7154000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007737fd68 3 bytes JMP 715a000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007737fd6c 2 bytes JMP 715a000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007737fe60 3 bytes JMP 7151000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007737fe64 2 bytes JMP 7151000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007737ff44 3 bytes JMP 715d000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007737ff48 2 bytes JMP 715d000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007737ffa4 3 bytes JMP 7175000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 000000007737ffa8 2 bytes JMP 7175000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077380024 3 bytes JMP 7172000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077380028 2 bytes JMP 7172000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077380054 3 bytes JMP 7157000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077380058 2 bytes JMP 7157000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077380358 3 bytes JMP 7145000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 000000007738035c 2 bytes JMP 7145000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773804f0 3 bytes JMP 7178000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000773804f4 2 bytes JMP 7178000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077380634 3 bytes JMP 7166000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077380638 2 bytes JMP 7166000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007738082c 3 bytes JMP 714e000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077380830 2 bytes JMP 714e000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077380844 3 bytes JMP 7148000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077380848 2 bytes JMP 7148000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077380d94 3 bytes JMP 7163000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077380d98 2 bytes JMP 7163000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077380e78 3 bytes JMP 714b000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077380e7c 2 bytes JMP 714b000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077381b84 3 bytes JMP 7160000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077381b88 2 bytes JMP 7160000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077381c54 3 bytes JMP 716f000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077381c58 2 bytes JMP 716f000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077381d2c 3 bytes JMP 716c000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077381d30 2 bytes JMP 716c000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000773a1067 6 bytes JMP 71a8000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000769d102d 6 bytes JMP 719c000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000769d1062 6 bytes JMP 7199000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000769f126f 6 bytes JMP 7190000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000074f3eae7 6 bytes JMP 719f000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000074f41d26 4 bytes CALL 71ac0000 .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007614f0e6 6 bytes JMP 717b000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076158364 6 bytes JMP 7181000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000761606b3 6 bytes JMP 717e000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000074fb5876 6 bytes JMP 7184000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000074fb95f4 6 bytes JMP 718d000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000074fbb8d0 6 bytes JMP 7187000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000074fbe45d 6 bytes JMP 718a000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000751514fd 6 bytes JMP 7196000a .text C:\Users\As\Downloads\0ecwt16d.exe[1840] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000751542a1 6 bytes JMP 7193000a ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- EOF - GMER 2.1 ----